CLI Guide - WatchGuard Technologies
CLI Guide - WatchGuard Technologies
CLI Guide - WatchGuard Technologies
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>WatchGuard</strong> ®<br />
Command Line<br />
Interface<br />
User <strong>Guide</strong><br />
<strong>WatchGuard</strong> Firebox Vclass 5.1
Copyright<br />
Copyright © 1998-2003 <strong>WatchGuard</strong> <strong>Technologies</strong>, Inc.<br />
All rights reserved.<br />
Notice to Users<br />
Information in this document is subject to change and<br />
revision without notice. This documentation and the software<br />
described herein is subject to and may only be used and<br />
copied as outlined in the Firebox System software end-user<br />
license agreement. No part of this manual may be reproduced<br />
by any means, electronic or mechanical, for any purpose<br />
other than the purchaser’s personal use, without prior written<br />
permission from <strong>WatchGuard</strong> <strong>Technologies</strong>, Inc.<br />
TRADEMARK NOTES<br />
<strong>WatchGuard</strong> and LiveSecurity are either trademarks or<br />
registered trademarks of <strong>WatchGuard</strong> <strong>Technologies</strong>, Inc. in<br />
the United States and other countries. Firebox, ServerLock,<br />
DVCP, and Designing peace of mind are trademarks of<br />
<strong>WatchGuard</strong> <strong>Technologies</strong>, Inc. All other trademarks or<br />
trade names mentioned herein, if any, are the property of<br />
their respective owners.<br />
Part No: 1200016<br />
ii <strong>WatchGuard</strong> Vclass 5.1
<strong>WatchGuard</strong> <strong>Technologies</strong>, Inc.<br />
Firebox System Software<br />
End-User License Agreement<br />
<strong>WatchGuard</strong> Firebox System (WFS) End-User License<br />
Agreement<br />
IMPORTANT — READ CAREFULLY BEFORE<br />
ACCESSING WATCHGUARD SOFTWARE:<br />
This WFS End-User License Agreement (“AGREEMENT”)<br />
is a legal agreement between you (either an individual or a<br />
single entity) and <strong>WatchGuard</strong> <strong>Technologies</strong>, Inc.<br />
(“WATCHGUARD”)for the WATCHGUARD WFS software<br />
product identified above, which includes computer software<br />
and may include associated media, printed materials, and online<br />
or electronic documentation (“SOFTWARE<br />
PRODUCT”). WATCHGUARD is willing to license the<br />
SOFTWARE PRODUCT to you only on the condition that you<br />
accept all of the terms contained in this Agreement. Please<br />
read this Agreement carefully. By installing or using the<br />
SOFTWARE PRODUCT you agree to be bound by the terms<br />
of this Agreement. If you do not agree to the terms of this<br />
AGREEMENT, WATCHGUARD will not license the<br />
SOFTWARE PRODUCT to you, and you will not have any<br />
rights in the SOFTWARE PRODUCT. In that case, promptly<br />
return the SOFTWARE PRODUCT, along with proof of<br />
payment, to the authorized dealer from whom you obtained<br />
the SOFTWARE PRODUCT for a full refund of the price you<br />
paid.<br />
1. Ownership and License. The SOFTWARE PRODUCT is<br />
protected by copyright laws and international copyright<br />
treaties, as well as other intellectual property laws and<br />
treaties. This is a license agreement and NOT an agreement<br />
for sale. All title and copyrights in and to the SOFTWARE<br />
PRODUCT (including but not limited to any images,<br />
photographs, animations, video, audio, music, text, and<br />
applets incorporated into the SOFTWARE PRODUCT), the<br />
accompanying printed materials, and any copies of the<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> iii
SOFTWARE PRODUCT are owned by WATCHGUARD or its<br />
suppliers. Your rights to use the SOFTWARE PRODUCT are<br />
as specified in this AGREEMENT, and WATCHGUARD<br />
retains all rights not expressly granted to you in this<br />
AGREEMENT. Nothing in this AGREEMENT constitutes a<br />
waiver of our rights under U.S. copyright law or any other<br />
law or treaty.<br />
2. Permitted Uses. You are granted the following rights to<br />
the SOFTWARE PRODUCT:<br />
(A) You may install and use the SOFTWARE PRODUCT on<br />
any single computer at any single location. If you wish to use<br />
the SOFTWARE PRODUCT on a different computer, you<br />
must erase the SOFTWARE PRODUCT from the first<br />
computer on which you installed it before you install it onto<br />
a second.<br />
(B) To use the SOFTWARE PRODUCT on more than one<br />
computer at once, you must license an additional copy of the<br />
SOFTWARE PRODUCT for each additional computer on<br />
which you want to use it.<br />
(C)You may make a single copy of the SOFTWARE<br />
PRODUCT for backup or archival purposes only.<br />
3. Prohibited Uses. You may not, without express written<br />
permission from WATCHGUARD:<br />
(A) Use, copy, modify, merge or transfer copies of the<br />
SOFTWARE PRODUCT or printed materials except as<br />
provided in this AGREEMENT;<br />
(B) Use any backup or archival copy of the SOFTWARE<br />
PRODUCT(or allow someone else to use such a copy) for any<br />
purpose other than to replace the original copy in the event it<br />
is destroyed or becomes defective;<br />
(C) Sublicense, lend, lease or rent the SOFTWARE<br />
PRODUCT;<br />
(D) Transfer this license to another party unless (i) the<br />
transfer is permanent, (ii) the third party recipient agrees to<br />
the terms of this AGREEMENT, and (iii) you do not retain<br />
any copies of the SOFTWARE PRODUCT; or<br />
(E) Reverse engineer, disassemble or decompile the<br />
SOFTWARE PRODUCT.<br />
iv <strong>WatchGuard</strong> Vclass 5.1
4. Limited Warranty. WATCHGUARD makes the<br />
following limited warranties for a period of ninety (90) days<br />
from the date you obtained the SOFTWARE PRODUCT from<br />
<strong>WatchGuard</strong> <strong>Technologies</strong> or an authorized dealer:<br />
(A) Media. The disks and documentation will be free from<br />
defects in materials and workmanship under normal use. If<br />
the disks or documentation fail to conform to this warranty,<br />
you may, as your sole and exclusive remedy, obtain a<br />
replacement free of charge if you return the defective disk or<br />
documentation to us with a dated proof of purchase.<br />
(B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT<br />
will materially conform to the documentation that<br />
accompanies it. If the SOFTWARE PRODUCT fails to<br />
operate in accordance with this warranty, you may, as your<br />
sole and exclusive remedy, return all of the SOFTWARE<br />
PRODUCT and the documentation to the authorized dealer<br />
from whom you obtained it, along with a dated proof of<br />
purchase, specifying the problems, and they will provide you<br />
with a new version of the SOFTWARE PRODUCT or a full<br />
refund, at their election.<br />
Disclaimer and Release. THE WARRANTIES,<br />
OBLIGATIONS AND LIABILITIES OF WATCHGUARD,<br />
AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS<br />
4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN<br />
SUBSTITUTION FOR, AND YOU HEREBY WAIVE,<br />
DISCLAIM AND RELEASE ANY AND ALL OTHER<br />
WARRANTIES, OBLIGATIONS AND LIABILITIES OF<br />
WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND<br />
REMEDIES YOU MAY HAVE AGAINST WATCHGUARD,<br />
EXPRESS OR IMPLIED, ARISING BY LAW OR<br />
OTHERWISE, WITH RESPECT TO ANY<br />
NONCONFORMANCE OR DEFECT IN THE SOFTWARE<br />
PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY<br />
IMPLIED WARRANTY OF MERCHANTABILITY OR<br />
FITNESS FOR A PARTICULAR PURPOSE, ANY<br />
IMPLIED WARRANTY ARISING FROM COURSE OF<br />
PERFORMANCE, COURSE OF DEALING, OR USAGE OF<br />
TRADE, ANY WARRANTY OF NONINFRINGEMENT,<br />
ANY WARRANTY THAT THIS SOFTWARE PRODUCT<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> v
WILL MEET YOUR REQUIREMENTS, ANY WARRANTY<br />
OF UNINTERRUPTED OR ERROR-FREE OPERATION,<br />
ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR<br />
REMEDY IN TORT, WHETHER OR NOT ARISING FROM<br />
THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR<br />
IMPUTED) OR FAULT OF WATCHGUARD AND ANY<br />
OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY<br />
FOR LOSS OR DAMAGE TO, OR CAUSED BY OR<br />
CONTRIBUTED TO BY, THE SOFTWARE PRODUCT).<br />
Limitation of Liability. WATCHGUARD’s liability (whether<br />
in contract, tort, or otherwise; and notwithstanding any fault,<br />
negligence, strict liability or product liability) with regard to<br />
THE SOFTWARE Product will in no event exceed the<br />
purchase price paid by you for such Product. IN NO EVENT<br />
WILL WATCHGUARD BE LIABLE TO YOU OR ANY<br />
THIRD PARTY, WHETHER ARISING IN CONTRACT<br />
(INCLUDING WARRANTY), TORT (INCLUDING ACTIVE,<br />
PASSIVE OR IMPUTED NEGLIGENCE AND STRICT<br />
LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL,<br />
INCIDENTAL, OR CONSEQUENTIAL DAMAGES<br />
(INCLUDING WITHOUT LIMITATION LOSS OF<br />
BUSINESS PROFITS, BUSINESS INTERRUPTION, OR<br />
LOSS OF BUSINESS INFORMATION) ARISING OUT OF<br />
OR IN CONNECTION WITH THIS WARRANTY OR THE<br />
USE OF OR INABILITY TO USE THE SOFTWARE<br />
PRODUCT, EVEN IF WATCHGUARD HAS BEEN<br />
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />
5. United States Government Restricted Rights. The<br />
enclosed SOFTWARE PRODUCT and documentation are<br />
provided with Restricted Rights. Use, duplication or<br />
disclosure by the U.S. Government or any agency or<br />
instrumentality thereof is subject to restrictions as set forth<br />
in subdivision (c)(1)(ii) of the Rights in Technical Data and<br />
Computer Software clause at DFARS 252.227-7013, or in<br />
subdivision (c)(1) and (2) of the Commercial Computer<br />
Software -- Restricted Rights Clause at 48 C.F.R. 52.227-<br />
19, as applicable. Manufacturer is <strong>WatchGuard</strong><br />
<strong>Technologies</strong>, Incorporated, 505 Fifth Avenue, Suite 500,<br />
Seattle, WA 98104.<br />
vi <strong>WatchGuard</strong> Vclass 5.1
6. Export Controls. You agree not to directly or indirectly<br />
transfer the SOFTWARE PRODUCT or documentation to<br />
any country to which such transfer would be prohibited by the<br />
U.S. Export Administration Act and the regulations issued<br />
thereunder.<br />
7. Termination. This license and your right to use the<br />
SOFTWARE PRODUCT will automatically terminate if you<br />
fail to comply with any provisions of this AGREEMENT,<br />
destroy all copies of the SOFTWARE PRODUCT in your<br />
possession, or voluntarily return the SOFTWARE PRODUCT<br />
to WATCHGUARD. Upon termination you will destroy all<br />
copies of the SOFTWARE PRODUCT and documentation<br />
remaining in your control or possession.<br />
8. Miscellaneous Provisions. This AGREEMENT will be<br />
governed by and construed in accordance with the<br />
substantive laws of Washington excluding the 1980 United<br />
National Convention on Contracts for the International Sale<br />
of Goods, as amended. This is the entire AGREEMENT<br />
between us relating to the contents of this package, and<br />
supersedes any prior purchase order, communications,<br />
advertising or representations concerning the contents of this<br />
package AND BY USING THE SOFTWARE PRODUCT<br />
YOU AGREE TO THESE TERMS. No change or<br />
modification of this AGREEMENT will be valid unless it is in<br />
writing, and is signed by WATCHGUARD.<br />
9. Canadian Transactions: If you obtained this<br />
SOFTWARE PRODUCT in Canada, you agree to the<br />
following:<br />
The parties hereto have expressly required that the present<br />
AGREEMENT and its Exhibits be drawn up in the English<br />
language. / Les parties aux presentes ont expressement exige<br />
que la presente conventions et ses Annexes soient redigees en<br />
la langue anglaise.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> vii
viii <strong>WatchGuard</strong> Vclass 5.1
Contents<br />
Contents .......................................................................ix<br />
CHAPTER 1 Using the Command Line Interface ..........1<br />
Introducing the <strong>WatchGuard</strong> <strong>CLI</strong> .......................................1<br />
<strong>CLI</strong> capabilities .............................................................2<br />
<strong>CLI</strong> limitations ...............................................................3<br />
<strong>CLI</strong> <strong>Guide</strong> text conventions ...............................................3<br />
Getting started with the <strong>WatchGuard</strong> <strong>CLI</strong> ...........................5<br />
Connecting to an appliance .............................................5<br />
Logging into an appliance via a console connection .............6<br />
Logging into an existing appliance via a network connection .7<br />
Understanding the command prompt ................................8<br />
Abbreviating commands and keywords ..............................8<br />
Case sensitivity .............................................................9<br />
Extending command lines ...............................................9<br />
Typing arguments in a command ......................................9<br />
Deleting text in the Command Line Interface ....................10<br />
Using the <strong>CLI</strong> to add to or replace existing settings and policies<br />
...........................................................................10<br />
Grouping parameters in a command ...............................10<br />
Reviewing the recently used commands ...........................11<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> ix
Navigating through the <strong>CLI</strong> ........................................... 13<br />
Common Navigation commands .................................... 14<br />
Using keywords .......................................................... 15<br />
Show command/argument (“name”) usage ...................... 16<br />
Viewing context-sensitive online help ............................. 17<br />
Logging out of the appliance ........................................ 18<br />
Installing and configuring a <strong>WatchGuard</strong> appliance .......... 19<br />
To log into a <strong>WatchGuard</strong> appliance for the first time: ........ 19<br />
To assign network addresses to appliance interfaces .......... 20<br />
To complete system configuration .................................. 20<br />
To create and apply security policies ............................... 21<br />
To remove/delete items from a <strong>WatchGuard</strong> database ....... 22<br />
To save and apply your most recent changes .................... 22<br />
To maintain an appliance .............................................. 22<br />
To troubleshoot an appliance ........................................ 22<br />
To restore an appliance to the factory-default state ........... 23<br />
To review the most recent tasks (at any level) .................... 23<br />
To get on-line help while working ................................... 24<br />
CHAPTER 2 Administration Mode Commands .......... 25<br />
Command syntax conventions used in this guide ............. 25<br />
Administration mode commands .................................... 27<br />
account command ...................................................... 28<br />
downgrade command ................................................. 29<br />
export command ........................................................ 30<br />
flush command ........................................................... 31<br />
ha_sync command ...................................................... 31<br />
import command ........................................................ 32<br />
operation_mode command .......................................... 35<br />
passwd command ....................................................... 36<br />
reboot command ........................................................ 37<br />
restore default command ............................................. 38<br />
shutdown command .................................................... 38<br />
upgrade command ..................................................... 39<br />
x <strong>WatchGuard</strong> Vclass 5.1
CHAPTER 3 Configuration Mode Commands .............41<br />
Top-level configuration mode commands ........................41<br />
abort command ..........................................................43<br />
address command .......................................................43<br />
certificate command ....................................................45<br />
commit command .......................................................45<br />
delete command .........................................................45<br />
denial_of_service command ..........................................46<br />
high_availability commands ...........................................47<br />
ike command ..............................................................48<br />
interface command ......................................................49<br />
ipsec command ..........................................................49<br />
license command ........................................................49<br />
log command .............................................................50<br />
nat command .............................................................54<br />
no command ..............................................................56<br />
policy command .........................................................57<br />
qos command ............................................................60<br />
ras command ..............................................................61<br />
rename command .......................................................61<br />
schedule command .....................................................62<br />
service command ........................................................63<br />
system command ........................................................64<br />
trace command ...........................................................64<br />
tenant command .........................................................65<br />
tunnel_switch command ...............................................65<br />
history command ........................................................66<br />
Second level configuration mode commands ...................66<br />
Level 2 certificate configuration commands ......................67<br />
Level 2 High Availability configuration commands ..............72<br />
Level 2 IKE configuration commands ...............................78<br />
Level 2 interface configuration commands ........................82<br />
Level 2 IPSec configuration commands ............................95<br />
Level 2 Quality of Service (QoS) configuration commands .100<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> xi
Level 2 Remote Access Service (RAS) configuration commands<br />
........................................................................ 102<br />
Level 2 System Configuration commands ...................... 107<br />
Level 2 license commands (for upgraded or additional features)<br />
........................................................................ 117<br />
Level 2 tenant configuration commands ........................ 119<br />
Level 3 configuration mode commands ......................... 122<br />
Level 3 route configuration commands .......................... 122<br />
Level 3 log configuration commands ............................ 124<br />
CHAPTER 4 Debug Mode Commands ...................... 127<br />
Debugging/troubleshooting commands ........................ 127<br />
arp command .......................................................... 129<br />
clear_logs ................................................................ 129<br />
config_http command ............................................... 129<br />
conn_idle_timeout command ...................................... 130<br />
ha_instant_sync command .......................................... 130<br />
hwdiag command ..................................................... 131<br />
ifconfig command ..................................................... 131<br />
importscreen command ............................................. 132<br />
kernel_debug command ............................................ 133<br />
netstat command ...................................................... 134<br />
ping command ......................................................... 134<br />
pppoe_config command ............................................ 135<br />
radius_ping command ............................................... 135<br />
rcinfo command ....................................................... 137<br />
reboot command ...................................................... 137<br />
rs_kdiag command .................................................... 138<br />
set_dos_if command ................................................. 139<br />
slink command ......................................................... 139<br />
tcpdump command ................................................... 140<br />
traceroute command ................................................. 140<br />
verbose_trace command ............................................ 141<br />
vinstall command ...................................................... 141<br />
xii <strong>WatchGuard</strong> Vclass 5.1
CHAPTER 5 Other Commands ...................................143<br />
No command ...............................................................143<br />
Rename command .......................................................143<br />
Show command ...........................................................144<br />
Show command general usage ....................................144<br />
Show address command .............................................145<br />
Show alarm command ................................................146<br />
Show all_routes command ..........................................147<br />
Show certificate command ..........................................147<br />
Show CPM command .................................................148<br />
Show denial_of_service command ................................148<br />
Show diagnostics command ........................................148<br />
Show DNS command .................................................148<br />
Show IKE command ...................................................149<br />
Show interface command ............................................150<br />
Show IPSec command ................................................150<br />
Show LDAP command ................................................151<br />
Show license command ..............................................151<br />
Show log command ...................................................152<br />
Show mode command ...............................................152<br />
Show NAT command .................................................153<br />
Show NTP command .................................................153<br />
Show policy command ...............................................154<br />
Show QoS command .................................................154<br />
Show RAS command ..................................................155<br />
Show route command ................................................156<br />
Show SA command ....................................................156<br />
Show service command ..............................................157<br />
Show SNMP command ...............................................158<br />
Show statistics command ............................................158<br />
Show sysinfo command ..............................................158<br />
Show sysupgrade command ........................................159<br />
Show trace command .................................................159<br />
Show tunnel_switch command .....................................159<br />
Show version command ..............................................160<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> xiii
Index ......................................................................... 161<br />
xiv <strong>WatchGuard</strong> Vclass 5.1
CHAPTER 1 Using the Command<br />
Line Interface<br />
Introducing the <strong>WatchGuard</strong> <strong>CLI</strong><br />
The <strong>WatchGuard</strong> <strong>CLI</strong> (Command Line Interface) offers<br />
the experienced network administrator an efficient<br />
way to set up and manage <strong>WatchGuard</strong> Firebox Vclass<br />
security appliances via a terminal application. As the<br />
<strong>CLI</strong> architecture utilizes a model implemented in<br />
many industry-standard routers, network administrators<br />
familiar with routers commonly deployed in network<br />
environments will find the <strong>WatchGuard</strong> <strong>CLI</strong> is<br />
both easy to learn and to use.<br />
You can use the <strong>CLI</strong> to administer an appliance<br />
through a console port connection or through a network<br />
connection to any of the data interfaces via an<br />
SSH Client using protocol 2 or Telnet, once the appropriate<br />
firewall-access policies have been created and<br />
configured on the target appliance.<br />
While the <strong>CLI</strong> replicates most of the functionality of<br />
the <strong>WatchGuard</strong> Vcontroller application, we<br />
strongly recommend that you familiarize yourself<br />
with the use of <strong>WatchGuard</strong> Vcontroller before<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 1
CHAPTER 1: Using the Command Line Interface<br />
attempting to use the <strong>CLI</strong>. Learning the <strong>WatchGuard</strong> Vcontroller,<br />
its terms and processes, and the underlying “flow”<br />
of appliance administration, will establish a solid competency<br />
with concepts and terms used extensively in the <strong>CLI</strong>.<br />
We also recommend that you review the latest Release Notes<br />
for your <strong>WatchGuard</strong> security appliances and verify that<br />
the most current versions of <strong>WatchGuard</strong> and Java software<br />
are being used. Electronic copies may be obtained<br />
from the <strong>WatchGuard</strong> Technical Support web site<br />
(www.watchguard.com/support/). The Technical Support<br />
Group can also assist in verifying that you have all of the<br />
latest <strong>WatchGuard</strong> software.<br />
<strong>CLI</strong> capabilities<br />
The <strong>WatchGuard</strong> command line interface (<strong>CLI</strong>) provides<br />
you with simple, fast, command-line access to any local<br />
<strong>WatchGuard</strong> Firebox Vclass security appliance to perform<br />
most major administrative tasks, including rebooting,<br />
resetting appliance interface IP addresses, entering remote<br />
access user accounts, and managing policies, actions and<br />
proposals stored in the appliance database.<br />
An almost-complete list of <strong>CLI</strong> setup and administration<br />
tasks includes the following:<br />
• Configuring security appliance software<br />
• Interface (port) management<br />
• Viewing current system settings<br />
• Inserting new security policies<br />
• Editing or removing existing policies<br />
• Reorganizing sort order of policies<br />
• Configuring and using the High Availability feature<br />
• Opening and reviewing current log files<br />
• Displaying reports of tunnel and SA activities<br />
• Restoring factory-default configurations<br />
• Shutting down and restarting security appliances<br />
2 <strong>WatchGuard</strong> Vclass 5.1
<strong>CLI</strong> limitations<br />
<strong>CLI</strong> <strong>Guide</strong> text conventions<br />
Please note that the <strong>WatchGuard</strong> <strong>CLI</strong> is not a complete<br />
replacement for the <strong>WatchGuard</strong> Vcontroller application,<br />
as you cannot do the following with the <strong>CLI</strong>:<br />
• Set up probes that monitor the current activities of the<br />
security appliance<br />
• Set up, activate, and review alarms that are triggered<br />
by a range of operational circumstances<br />
• Import Certificate Revocation List (CRL) files or their<br />
contents<br />
• Create “admin” access user accounts<br />
• Create firewall-access internal user accounts<br />
<strong>CLI</strong> <strong>Guide</strong> text conventions<br />
To help you better use this guide, the following text conventions<br />
are used.<br />
Control key The symbol ^ represents the Control<br />
(CTRL) key and is usually used in<br />
combination with other text. For<br />
example, when you see the key<br />
combinations ^Z or Ctrl-Z, this<br />
means you should hold down the<br />
Control key while pressing the Z<br />
key. In the guide, these keys may be<br />
printed in capital letters, but<br />
“Ctrl+letter” functions are not casesensitive.<br />
Text strings A text string is defined as a set of<br />
user-variable characters. Text<br />
strings (or, strings) are usually<br />
presented as example data, or the<br />
kind of thing one might type for a<br />
particular value. Such an example<br />
might be presented enclosed in<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 3
CHAPTER 1: Using the Command Line Interface<br />
quotation marks; however, you do<br />
not need to type quotes when<br />
entering a text string.<br />
For example, we might say: set a<br />
user_profile name to<br />
“All_RAS_Users.” In this example,<br />
you could type your own user<br />
profile name (or string) in place of<br />
ALL_RAS_Users.<br />
You should enclose a string in<br />
quotes in instances where the text<br />
entry includes spaces. For example,<br />
if entering a name like “Joan<br />
Smith,” with a space between the<br />
first and last name, you should<br />
enclose this entry in quotations to<br />
preserve it as a single entity.<br />
For Example WG(config)#address -group<br />
exec_staff<br />
WG(config)#address -group<br />
"exec staff"<br />
Carriage returns Carriage returns are Enter key<br />
presses, and are represented by the<br />
or notation.<br />
Command examples may omit this<br />
notation for the sake of brevity.<br />
Letter spaces Space characters (entered by<br />
pressing the Space bar on the<br />
keyboard) are represented in a few<br />
instances in this <strong>Guide</strong> by the <br />
notation. In most cases, however,<br />
spaces are simply represented by<br />
actual spaces. For example, in:<br />
WG(config)#address -group<br />
exec_staff<br />
4 <strong>WatchGuard</strong> Vclass 5.1
Getting started with the <strong>WatchGuard</strong> <strong>CLI</strong><br />
There is a single space between<br />
“address” and “-group,” and<br />
“group” and “exec_staff.”<br />
Comments Comments are presented as<br />
italicized text preceded by the “#”<br />
character.<br />
# This is a sample comment.<br />
More command-specific and<br />
argument-specific conventions are<br />
detailed in “Command syntax<br />
conventions used in this guide” on<br />
page 21<br />
Getting started with the <strong>WatchGuard</strong> <strong>CLI</strong><br />
Connecting to an appliance<br />
The <strong>WatchGuard</strong> <strong>CLI</strong> can be used to perform pre-installation<br />
setup tasks, or to reconfigure or administer the appliance<br />
at any time. These comprise two distinct uses of the<br />
<strong>CLI</strong>, which in turn require different connections:<br />
• To use the <strong>CLI</strong> in pre-installation setup or to do direct<br />
administration of a <strong>WatchGuard</strong> appliance, you can<br />
directly connect the appliance to your workstation by<br />
connecting a cable from the Console port on the front<br />
of the appliance to a serial port on your workstation.<br />
Your Vclass package includes an adapter for this<br />
purpose. After this connection is made, you can<br />
connect directly to the appliance via a terminal<br />
application.<br />
• To use the <strong>CLI</strong> for administration after a <strong>WatchGuard</strong><br />
appliance has been set up and configured, you can<br />
make use of existing network connections. All you<br />
need is (1) the IP address of a <strong>WatchGuard</strong> appliance<br />
data interface and (2) a currently active policy<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 5
CHAPTER 1: Using the Command Line Interface<br />
permitting <strong>CLI</strong> console (Telnet/SSH) access to the<br />
system through that interface. This may be done by<br />
means of the <strong>CLI</strong> or the <strong>WatchGuard</strong> Vcontroller, once<br />
configuration is complete.<br />
NOTE<br />
If you attempt to log into a functioning, fully configured<br />
<strong>WatchGuard</strong> appliance with the <strong>CLI</strong>, you must enter<br />
“admin” as the login (or “rsadmin” for legacy appliances),<br />
as the <strong>CLI</strong> will not permit use of any other “super admin”<br />
account names.<br />
Logging into an appliance via a console<br />
connection<br />
To log into a brand new “factory default” <strong>WatchGuard</strong><br />
appliance by means of the <strong>CLI</strong> console and a console (serial<br />
port) connection, follow these steps:<br />
1 Start any terminal application and open a new<br />
connection window.<br />
2 Verify that the terminal has been set to VT100.<br />
NOTE<br />
If the terminal is not set to VT100, various functions may not<br />
work—^c will not break, ESC will not work and you’ll have<br />
problems with special characters.<br />
Connection parameters include:<br />
- 9600 bps<br />
- 8 data bits<br />
- No parity<br />
- 1 stop bit<br />
- Flow control: none<br />
3 Press once after configuring the connection<br />
parameters.<br />
The connection should be immediate, at which time a welcome<br />
message is displayed, followed by a <strong>WatchGuard</strong> “Login”<br />
prompt.<br />
6 <strong>WatchGuard</strong> Vclass 5.1
Getting started with the <strong>WatchGuard</strong> <strong>CLI</strong><br />
4 As this is a new appliance, type “admin” (the default<br />
login text) and press . The login for a legacy<br />
appliance is “rsadmin.”<br />
A “Password” prompt is displayed.<br />
5 Type “admin” (again, the default password text) and<br />
press to submit the password and log in to<br />
this security appliance. The default password for a<br />
legacy device is “rsadmin.”<br />
If the login connection is successful, a WG# prompt is displayed.<br />
<strong>WatchGuard</strong> Firebox V100 (OS 4.0)<br />
login:admin<br />
Password:[type your password, nothing is<br />
displayed]<br />
WG#<br />
Welcome to the <strong>WatchGuard</strong> <strong>CLI</strong> Shell<br />
You can now work with the <strong>CLI</strong>.<br />
Logging into an existing appliance via a<br />
network connection<br />
To log into a currently active (configured) <strong>WatchGuard</strong><br />
appliance over a network connection, follow these steps:<br />
1 Make sure that this appliance has an active policy<br />
permitting telnet/SSH access via a specific<br />
<strong>WatchGuard</strong> appliance interface.<br />
1 Start any telnet/SSH application and verify that your<br />
terminal emulation is “vt100” (necessary in Windows<br />
2000).<br />
2 Type the IP address or qualified network name of the<br />
appliance interface and press Enter.<br />
3 When a <strong>WatchGuard</strong> “Login” prompt is displayed,<br />
type “admin” (or “rsadmin” for a legacy appliance)<br />
and press .<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 7
CHAPTER 1: Using the Command Line Interface<br />
NOTE<br />
The <strong>CLI</strong> will not accept any other “superadmin” login<br />
names.<br />
A “Password” prompt is displayed.<br />
4 Type the current password (the default is “admin”, or<br />
“rsadmin” for a legacy appliance) and press <br />
to submit the password and log into this security<br />
appliance.<br />
A new WG# prompt is displayed.<br />
Understanding the command prompt<br />
As you navigate through the <strong>WatchGuard</strong> Command Line<br />
Interface, the command prompt will always indicate what<br />
command level/mode you are in. For example:<br />
Command Prompt Command Level/Mode<br />
WG# indicates that you are at the root level<br />
WG(config)# indicates that you are in Configuration mode<br />
WG(config-system)# indicates that you are in Configuration mode at the<br />
System level<br />
WG(config-if)# indicates that you are in Configuration mode at the<br />
System Interface level<br />
Abbreviating commands and keywords<br />
You can abbreviate the available commands and keywords<br />
for each command group or mode, down to the minimum<br />
number of characters that can safely be used to represent a<br />
command, so that it cannot be mistaken for another command<br />
by the <strong>CLI</strong>. For example, the command show can be<br />
abbreviated “sh” and the command dmz can be abbreviated<br />
as “d.”<br />
NOTE<br />
In Administration mode, you cannot use abbreviated<br />
commands. Administration mode requires that you type the<br />
full word for each command.<br />
8 <strong>WatchGuard</strong> Vclass 5.1
Case sensitivity<br />
Getting started with the <strong>WatchGuard</strong> <strong>CLI</strong><br />
Commands, command arguments and keywords in the<br />
<strong>WatchGuard</strong> <strong>CLI</strong> are not case sensitive. For example, show<br />
policy is equivalent to SHow POLicy.<br />
NOTE<br />
Object name strings are case sensitive. Typing the address<br />
group name (string) “EveryBody_on_NET_A” is not the<br />
same as typing “everybody_on_net_a”! This covers all text<br />
strings, whether enclosed in quotes or not.<br />
Extending command lines<br />
Long command lines can be continued onto the next line of<br />
a terminal display by typing the backslash character (\) at<br />
the end of the command line, similar to the use of the backslash<br />
character in C programming syntax. This permits you<br />
to type more information (parameters) without breaking<br />
the continuity of the entire command.<br />
In the following example of a progression of four commands,<br />
the backslash character typed (\) right before the<br />
in the last command line enables the administrator<br />
to continue the contents of that command line onto the<br />
next line:<br />
WG#<br />
WG#configure<br />
WG(config)#cert<br />
WG(config-cert)#req cert –com <strong>WatchGuard</strong> –<br />
cou US \<br />
<br />
-dns rs101.<strong>WatchGuard</strong>.com –key {rsa 1024<br />
both}<br />
Typing arguments in a command<br />
Be sure to type a "-" (hyphen) before any arguments, or the<br />
<strong>CLI</strong> will ignore and omit that argument’s condition.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 9
CHAPTER 1: Using the Command Line Interface<br />
Deleting text in the Command Line Interface<br />
To delete characters to the left of the cursor, press the Backspace<br />
key, or press ^h.<br />
To delete all characters from the current position of the cursor<br />
back to the beginning of the command line, press ^u.<br />
Using the <strong>CLI</strong> to add to or replace existing<br />
settings and policies<br />
Existing settings can be modified using the <strong>WatchGuard</strong><br />
<strong>CLI</strong> in two ways:<br />
1 An existing item can be overwritten/replaced with an<br />
entirely new item<br />
2 Additional entries or qualifications can be appended to<br />
an existing item<br />
Adding entries to an existing item requires use of the<br />
“plus” character (+).<br />
If a setting or entry already exists in this <strong>WatchGuard</strong><br />
appliance, add a “plus” character (+) before additional elements<br />
to edit that setting. In the following example, an<br />
additional host with an IP address of 199.86.77.100 is added<br />
to the address group “VPNnet”<br />
WG(config)#address VPNnet + -host<br />
199.86.77.100<br />
WG(config)#exit<br />
Commit before exit? (Y/N):y<br />
WG#_<br />
The named address group object VPNnet now has an additional<br />
(host) member with an IP address of 199.86.77.100.<br />
Grouping parameters in a command<br />
Groups of parameters may be repeated in a command line<br />
by surrounding the groups with “curly” brackets ({group1<br />
param1 param2} {group2 param1 param2} etc.). In the fol-<br />
10 <strong>WatchGuard</strong> Vclass 5.1
Getting started with the <strong>WatchGuard</strong> <strong>CLI</strong><br />
lowing example of command line block repetition, the IP<br />
addresses, port numbers, and weighting is assigned for<br />
three servers in a round-robin load balanced cluster:<br />
WG(config)#nat –vip round –server \<br />
{10.10.0.100 80 1} {10.10.0.101 80 2} \<br />
{10.10.0.102 80 3}<br />
Note too, that the command line in the above example was<br />
“extended” with the use of the backslash (\) character, so<br />
that more parameters could be included in the command.<br />
Reviewing the recently used commands<br />
The <strong>WatchGuard</strong> <strong>CLI</strong> stores up to 20 commands (at each<br />
level in every mode) in a History buffer, which you can use<br />
to view your most recent tasks.<br />
• Type history at any prompt to review the<br />
last twenty commands applied at that level of the <strong>CLI</strong>.<br />
The <strong>CLI</strong> will append a number to each line, to indicate<br />
its place in the overall chronology. The higher the<br />
number, the more recently that command was enacted.<br />
(Note that active command history listings may have<br />
multiple-digit numbers.)<br />
• Type !! (two exclamation points) to recall and re-enact<br />
the most recently used command recorded in the<br />
buffer for this mode and level.<br />
• Type !6 (exclamation point followed by a number) to<br />
display and enact the command identified as “6” in the<br />
buffer at this <strong>CLI</strong> level.<br />
• Type !! to display the most<br />
recent command and to append it with arguments and<br />
values as needed. For example, if the last command<br />
was “show”, you could type “!!address” to display the<br />
current list of address groups.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 11
CHAPTER 1: Using the Command Line Interface<br />
New or different command arguments may be “substituted”<br />
in the most-recent command line recalled from history.<br />
Use the format<br />
^old_command^new_command to effect a substitution as<br />
shown in the following example:<br />
WG#!49 < Recall command line #49 #This is the<br />
command.<br />
show service DNS #The next six lines are the result.<br />
Service Group:<br />
Name = DNS<br />
Description = "Domain Name Services"<br />
Protocol = UDP<br />
Server_port = 53<br />
WG#^DNS^SSH #This command substitutes SSH for DNS<br />
and show service<br />
SSH execute<br />
Service Group: #This shows the results.<br />
Name = SSH<br />
Description = "Secure Shell (Remote Login<br />
Protocol)"<br />
Protocol = TCP<br />
Server_port = 22<br />
WG#_<br />
12 <strong>WatchGuard</strong> Vclass 5.1
Navigating through the <strong>CLI</strong><br />
Getting started with the <strong>WatchGuard</strong> <strong>CLI</strong><br />
WG#!49 < Recall command line #49 #This is the<br />
command.<br />
show service DNS #The next six lines are the result.<br />
Service Group:<br />
Name = DNS<br />
Description = "Domain Name Services"<br />
Protocol = UDP<br />
Server_port = 53<br />
WG#^DNS^SSH #This command substitutes SSH for DNS<br />
and show service<br />
SSH execute<br />
Service Group: #This shows the results.<br />
Name = SSH<br />
Description = "Secure Shell (Remote Login<br />
Protocol)"<br />
Protocol = TCP<br />
Server_port = 22<br />
WG#_<br />
At every command level and in all command modes, the<br />
exit command moves the <strong>CLI</strong> user “up” one level (back to<br />
the parent command level) in the command tree structure.<br />
If you issue the exit command at the top (root) level, you<br />
will log out of the system. See the following example:<br />
WG(config-system)#exit<br />
WG(config)#exit<br />
WG#exit<br />
#As a result, you are logged off the <strong>CLI</strong><br />
and the display screen is cleared.<br />
<strong>WatchGuard</strong> (OS 4.0)<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 13
CHAPTER 1: Using the Command Line Interface<br />
At every command level except the top (root) level, entering<br />
the top command and pressing Enter “jumps” the <strong>CLI</strong> user<br />
from the current level to the top (root) command level. The<br />
top (root) command level does not have this command<br />
available as it isn’t necessary. See the following example:<br />
WG(config-qos)#top<br />
WG#_<br />
Common Navigation commands<br />
The following commands can be used at any level of any<br />
<strong>CLI</strong> mode.<br />
history command<br />
WG#admin<br />
WG(admin)#history<br />
Effect<br />
Lists the twenty most recently exercised commands<br />
at this level. (When this command is applied at<br />
other levels, it will result in the last twenty<br />
commands entered at that specific level. For more<br />
information on extending or adapting this<br />
command, see “Reviewing the recently used<br />
commands” on page 11.<br />
Arguments<br />
This command has several adaptations that extend<br />
its usefulness. See “Reviewing the recently used<br />
commands” on page 11 for details.<br />
exit command<br />
WG(admin)#exit<br />
Effect<br />
Exits the current level of <strong>CLI</strong> and returns to the<br />
next-highest command level, all the way to the toplevel<br />
WG# prompt.<br />
14 <strong>WatchGuard</strong> Vclass 5.1
Arguments<br />
None.<br />
Example<br />
WG(admin)#exit<br />
Getting started with the <strong>WatchGuard</strong> <strong>CLI</strong><br />
top command<br />
WG(admin)#top<br />
Effect<br />
Immediately returns to the top level of the<br />
<strong>WatchGuard</strong> <strong>CLI</strong> (the “WG#” prompt) from<br />
whatever level of <strong>CLI</strong> you are using.<br />
Arguments<br />
None.<br />
Example<br />
WG(admin)#top<br />
# As a result, the WG# prompt is displayed.<br />
Using keywords<br />
The <strong>CLI</strong> provides keywords such as enable, disable, and<br />
no that perform specific functions with system parameters.<br />
For example, enable and disable are used to enable and<br />
disable existing configurations such as policy schedules<br />
and system QoS settings. The following example shows an<br />
existing schedule configuration named “24_7_Schedule”<br />
being enabled:<br />
WG(config)#schedule 24_7_Schedule<br />
enable<br />
The keyword no functions as a simple “on/off” switch for<br />
configuration components, as shown in the following<br />
example:<br />
WG(config)#denial_of_service no -<br />
pingofdeath<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 15
CHAPTER 1: Using the Command Line Interface<br />
Show command/argument (“name”) usage<br />
Entering the show command along with a valid command<br />
name or argument will display all stored entries associated<br />
with the named term. See the following examples. These<br />
examples show only partial displays:<br />
Example 1: Show all security policy records<br />
WG(config)#show policy<br />
Ord NAME Dscpt Src<br />
Dest Svc<br />
1 PRIVATE_HTTPS ANY PRIVA<br />
HTTPS<br />
2 ALLOW_PING_FROM_PVT ANY INTER<br />
PING<br />
3 ALLOW_PING_FROM_PUB ANY INTER<br />
PING<br />
4 ALLOW_PING_FROM_DMZ ANY INTER<br />
PING<br />
5 ALLOW_OUTBOUND_DNAT ANY ANY<br />
ANY<br />
6 DENY_INBOUND Deny ANY<br />
ANY ANY<br />
7 HOST_OUT ANY ANY<br />
ANY<br />
WG(config)#_<br />
Executing the show command followed by a specific name<br />
displays only the details associated with that specific<br />
named object, as shown in the following example:<br />
16 <strong>WatchGuard</strong> Vclass 5.1
Getting started with the <strong>WatchGuard</strong> <strong>CLI</strong><br />
Example 2: Show only “private_https” security<br />
policy settings<br />
WG(config)#show policy PRIVATE_HTTPS<br />
Security Policy<br />
Name = PRIVATE_HTTPS<br />
Description = * *<br />
Order = 1<br />
Source = ANY<br />
Destination = interface_0_IP<br />
Service = HTTPS<br />
Viewing context-sensitive online help<br />
When you are logged into an appliance, you can use the<br />
built-in help system to view a list of currently available<br />
commands. These commands vary depending on your current<br />
location in the <strong>CLI</strong>. The types of help commands<br />
include the following:<br />
• Listing all available commands at a specific mode or<br />
level of <strong>CLI</strong><br />
• Listing all of a command’s arguments (and associated<br />
values) along with their specific usage syntax<br />
1 To list all commands available in a particular command<br />
mode or level, type a question mark (?)or enter<br />
“help” at the command prompt.<br />
For example, enter? at the top (root) level command to return<br />
the following list of top-level command options:<br />
administration Enter administration mode<br />
configure Enter configuration mode<br />
debug Enter debug mode<br />
show Show current configuration and<br />
statistics<br />
history Show command history<br />
logout Exit the system<br />
exit Exit the system<br />
2 The <strong>WatchGuard</strong> <strong>CLI</strong>’s help system also lists a specific<br />
command’s argument options along with their specific<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 17
CHAPTER 1: Using the Command Line Interface<br />
usage syntax. For example, here is a help command<br />
that requests (and obtains) the command argument<br />
options and syntax used to configure a security policy:<br />
WG#configure<br />
WG(config)#policy?<br />
policy [ ]<br />
[-position ]<br />
[-firewall ]<br />
[
Installing and configuring a <strong>WatchGuard</strong> appliance<br />
Installing and configuring a <strong>WatchGuard</strong><br />
appliance<br />
You can use the <strong>WatchGuard</strong> <strong>CLI</strong> to perform almost all<br />
setup and configuration tasks. We’ve organized the following<br />
catalog of tasks into general categories, with references<br />
to the series of <strong>CLI</strong> commands you would use to perform<br />
specific tasks. We’ve also organized the following catalog<br />
to chronologically guide you through the tasks in the<br />
proper sequence.<br />
The general flow of this series of categories and tasks follows<br />
that of the printed <strong>WatchGuard</strong> Vclass User <strong>Guide</strong>,<br />
beginning with installation, and continuing on to administration<br />
and policy configuration tasks.<br />
The tasks are sorted into the following general categories,<br />
and can be reviewed as noted here:<br />
• “To log into a <strong>WatchGuard</strong> appliance for the first time:”<br />
on page 19<br />
• “To assign network addresses to appliance interfaces”<br />
on page 20<br />
• “To complete system configuration” on page 20<br />
• “To create and apply security policies” on page 21<br />
• “To remove/delete items from a <strong>WatchGuard</strong><br />
database” on page 22<br />
• “To save and apply your most recent changes” on<br />
page 22<br />
• “To maintain an appliance” on page 22<br />
• “To troubleshoot an appliance” on page 22<br />
• “To get on-line help while working” on page 24<br />
To log into a <strong>WatchGuard</strong> appliance for the<br />
first time:<br />
See the instructions detailed in “Logging into an appliance<br />
via a console connection” on page 6.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 19
CHAPTER 1: Using the Command Line Interface<br />
To assign network addresses to appliance<br />
interfaces<br />
To assign network addresses to the data interfaces, use<br />
these commands (along with the arguments and values<br />
noted later in this user guide):<br />
Command Additional Information<br />
WG(config-if)#interface 0<br />
WG(config-if)#interface 1<br />
WG(config-if)#interface 2 if a DMZ interface is present<br />
WG(config-if)#ha2 if an HA2 port is present<br />
To complete system configuration<br />
To complete the initial system configuration, use these<br />
commands:<br />
Command Description<br />
WG(admin)#passwd change the default password to a new,<br />
secure password<br />
WG(config-sys)#route includes both static and dynamic<br />
routes<br />
WG(config-sys)#dns connect to a domain name server<br />
WG(config-sys)#snmp connect to any SNMP management<br />
stations<br />
WG(config-sys)#log activate needed system activity<br />
logging<br />
WG(config-sys)#ldap connect this appliance to an LDAP<br />
server<br />
WG(config)#tunnel_switch activate <strong>WatchGuard</strong> tunnelswitching<br />
features<br />
20 <strong>WatchGuard</strong> Vclass 5.1
Command Description<br />
Installing and configuring a <strong>WatchGuard</strong> appliance<br />
WG(config)#cert request and import needed certificates<br />
from CA’s<br />
WG(config)#denial_of_service customize anti-hacker protection for<br />
this appliance<br />
WG(config)#high_availability set up and activate a high-availability<br />
system, using the High Availibility<br />
feature<br />
WG(config)#log includes event, traffic and alarm log<br />
files<br />
To create and apply security policies<br />
To create and apply security policies, use these commands:<br />
Command Description<br />
WG(config)#address create all the needed address groups for<br />
use in policies<br />
WG(config)#service add new services or groups of related<br />
services<br />
WG(config-ike)#action create IKE actions for use in IKE<br />
policies)<br />
WG(config-ike)#policy create IKE policies for use in IPSec<br />
policies<br />
WG(config-ipsec)#action create IPSec actions for use in IPSec<br />
proposals<br />
WG(config-ipsec)#proposal create IPSec proposals for use in<br />
security policies<br />
WG(config)#nat create NAT actions (DNAT, SNAT or<br />
VIP) for use in policies<br />
WG(config)#vlan create VLAN IDs for use in policies<br />
WG(config-qos)#action create QoS actions for use in policies<br />
WG(config)#schedule create schedules for application to<br />
specific policies<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 21
CHAPTER 1: Using the Command Line Interface<br />
Command Description<br />
WG(config-ras)#group_profile create RAS group profiles for use in<br />
RAS policies<br />
WG(config-ras)#user_profile create RAS user accounts for use in<br />
RAS policies<br />
WG(config-ras)#database set up the user authentication system for<br />
RAS policies<br />
WG(config)#policy create the actual policies<br />
To remove/delete items from a <strong>WatchGuard</strong><br />
database<br />
To remove a particular object (policy, action, group profile,<br />
etc.), use this command:<br />
WG(config)#delete<br />
To save and apply your most recent changes<br />
To save and apply the latest changes and additions to this<br />
appliance’s configurations and policies, use this command:<br />
WG(config)#commit<br />
To maintain an appliance<br />
To perform security appliance maintenance, use these commands:<br />
Command Description<br />
WG(admin)#flush flush all current connections and SAs<br />
WG(admin)#passwd replace the existing password with a new one<br />
WG(admin)#reboot reboot the <strong>WatchGuard</strong> appliance<br />
WG(admin)#shutdown shut down the <strong>WatchGuard</strong> appliance<br />
To troubleshoot an appliance<br />
To perform troubleshooting tasks, use these commands:<br />
22 <strong>WatchGuard</strong> Vclass 5.1
Installing and configuring a <strong>WatchGuard</strong> appliance<br />
Command Description<br />
WG(debug)#arp display and configure the arp table<br />
WG(debug)#netstat show network/connection states and statistics<br />
WG(debug)#ping verify network connectivity<br />
WG(debug)#radius_ping verify connection with a RADIUS server<br />
WG(debug)#tcpdump trace network packets<br />
WG(debug)#traceroute trace a route to a specific destination<br />
To restore an appliance to the factorydefault<br />
state<br />
WG(admin)#restore_default<br />
To review the most recent tasks (at any<br />
level)<br />
(<strong>CLI</strong> prompt)#history<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 23
CHAPTER 1: Using the Command Line Interface<br />
To get on-line help while working<br />
To get help with the <strong>WatchGuard</strong> <strong>CLI</strong><br />
Command Description<br />
? online help at any prompt, or at the end of any other<br />
command<br />
show view a list of objects at the # prompt<br />
history view the last 20 commands entered at this level of the <strong>CLI</strong>;<br />
Enter at the # prompt<br />
24 <strong>WatchGuard</strong> Vclass 5.1
CHAPTER 2 Administration Mode<br />
Commands<br />
All <strong>WatchGuard</strong> <strong>CLI</strong> commands are organized into<br />
groups, which are presented as specific command<br />
modes. This chapter covers the commands available in<br />
Administration Mode.<br />
Command syntax conventions used in this<br />
guide<br />
To help you better use this guide, the following text<br />
conventions are used. These conventions are in addi-<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 25
CHAPTER 2: Administration Mode Commands<br />
tion to the text notation introduced in “<strong>CLI</strong> <strong>Guide</strong> text conventions”<br />
on page 3.<br />
Convention Description<br />
All required text is enclosed in angle brackets.<br />
- Some arguments must be preceded by a hyphen<br />
(“-”). If a hyphen is required, but you do not use<br />
it to precede the argument, that argument will be<br />
dropped.<br />
[text] Optional text is enclosed in square brackets.<br />
{text} Text wrapped in curly braces is optional, usually<br />
representing qualifications or values related to an<br />
argument.<br />
itemA | itemB Text items separated by a pipe character (vertical<br />
bar) indicate two options, of which only one can<br />
be entered.<br />
itemA &| itemB Text followed by an ampersand (&) and a pipe<br />
character (vertical bar) indicates two options,<br />
either or both of which can be entered.<br />
[item_A, item_B, A comma separating bracketed text indicates<br />
item_C]<br />
repeated options that may be entered one at a<br />
time or all at once.<br />
+ item A plus (+) sign preceding specific text represents<br />
additional elements that are being added to an<br />
existing setting. For example, to add a new<br />
“member” to an existing address group, you<br />
would type a “+” prior to the address<br />
information of the new member.<br />
no A “no” entered before an argument indicates<br />
that the argument is not to be included in the<br />
command. This is useful when entering a number<br />
of arguments, one of which should not be<br />
included yet must be entered in the command.<br />
\ A backslash character at the end of a portion of<br />
command line signifies that the command line<br />
has been broken at that point, and continues on<br />
the next line.<br />
If you enter a command in the <strong>CLI</strong>, such as the following:<br />
WG(config)#policy<br />
and press without adding any arguments to the<br />
command line, the <strong>WatchGuard</strong> <strong>CLI</strong> will display a com-<br />
26 <strong>WatchGuard</strong> Vclass 5.1
Administration mode commands<br />
plete list of related arguments and values, in the form in<br />
which you should enter them. This is helpful when the <strong>CLI</strong><br />
tells you that a command you just entered isn’t acceptable.<br />
You can call up this text to review requirements and syntax<br />
for a command or argument.<br />
Administration mode commands<br />
The following catalog lists all of the administration mode<br />
commands, along with a description of the arguments for<br />
each command and the relevant values for each argument<br />
.<br />
Command For more information, see<br />
account “account command” on page 28<br />
downgrade “downgrade command” on page 29<br />
export “export command” on page 30<br />
flush “flush command” on page 31<br />
ha_sync “ha_sync command” on page 31<br />
import “import command” on page 32<br />
operation_mode “operation_mode command” on page 35<br />
passwd “passwd command” on page 36<br />
reboot “reboot command” on page 37<br />
restore_default “restore default command” on page 38<br />
shutdown “shutdown command” on page 38<br />
upgrade “upgrade command” on page 39<br />
history “history command” on page 14<br />
exit “exit command” on page 14<br />
top “top command” on page 15<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 27
CHAPTER 2: Administration Mode Commands<br />
account command<br />
WG#admin<br />
WG(admin)#account<br />
-login_limit<br />
-login_limit <br />
-status<br />
-unlock |all<br />
-all<br />
Effect<br />
Allows you to view, set, and clear failed login attempt limits.<br />
Login limits provide a further level of security, and<br />
eliminate susceptibility to a “brute force” password hacks.<br />
The account management feature is available in all three<br />
operation modes (normal, FIPS, and CC).<br />
The <strong>CLI</strong> allows only the root superadmin “admin” to log<br />
in, while rejecting all other accounts, including userdefined<br />
superamin accounts. If you set the login_limit<br />
feature on the root superadmin user, it is possible for the<br />
superadmin to be locked out of the system.<br />
To work around this possible problem:<br />
1 Create another superadmin account in addition to the<br />
root superadmin “admin” account, using Vcontroller,<br />
before you set the login_limit for the root<br />
superadmin account.<br />
If the root superadmin “admin” is locked out because of<br />
exceeded login failures, you can use this separate, non-root-level<br />
superadmin account to login to Vcontroller with full<br />
administration privileges.<br />
2 In a text editor, create and save an ASCII text file with<br />
the following two lines:<br />
admin<br />
account -unlock admin<br />
3 In Vcontroller, click Diagnostics/<strong>CLI</strong> and select the <strong>CLI</strong><br />
tab.<br />
This feature allows you to select a text file that contains <strong>CLI</strong><br />
commands.<br />
28 <strong>WatchGuard</strong> Vclass 5.1
Administration mode commands<br />
4 Click Open.<br />
A Browse dialog appears.<br />
5 Select the text file you created earlier, and click Select.<br />
The admin account is unlocked.<br />
Arguments<br />
-login_limit<br />
This command displays the current login limits set<br />
for admin and user on the device.<br />
-login_limit <br />
This command sets the limit for failed attempts for<br />
the specified user type (admin or user) to the<br />
number specified.<br />
-status<br />
This command displays a table of failed login<br />
attempts for each user, provided the limit for the<br />
login name is greater than 0.<br />
-unlock |all<br />
This command unlocks a login name or all login<br />
names, after the name or names are locked due to<br />
failed login attempts.<br />
-all<br />
This command displays detailed information for all<br />
accounts on the device.<br />
Examples<br />
WG#admin<br />
WG(admin)#account -login_limit<br />
WG#admin<br />
WG(admin)#account -login_limit admin 5<br />
WG#admin<br />
WG(admin)#account -unlock joe_user<br />
downgrade command<br />
WG#admin<br />
WG(admin)#downgrade<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 29
CHAPTER 2: Administration Mode Commands<br />
Effect<br />
Restores the system software to the previously<br />
installed version.<br />
Arguments<br />
None<br />
Example<br />
WG(admin)#downgrade<br />
NOTE<br />
If you apply this command, certain <strong>WatchGuard</strong> features<br />
incorporated in the current version may not be available<br />
afterwards. This will affect both configurations and policies<br />
in this appliance. You should make a careful review of this<br />
security appliance’s setup to prevent any problems.<br />
export command<br />
WG#admin<br />
WG(admin)#export<br />
Effect<br />
Exports certificate requests, the log archive, or an<br />
XML profile. The export command must be<br />
followed by a space and the name of the item to be<br />
exported:<br />
cert_request to export certificate requests<br />
log to export the log archive<br />
xml to export an XML profile<br />
ip to export the blocked or exception IP lists<br />
Each export option requires specific syntax.<br />
export cert_request:<br />
export cert_request [-tftp] <br />
-ftp <br />
-[console]<br />
30 <strong>WatchGuard</strong> Vclass 5.1
Administration mode commands<br />
#ex: export cert_request 20001 10.10.0.100:/RS/cert/<br />
20001.req<br />
export log:<br />
export log [all|alarms|events|traffic|ras_user|p1sa|p2sa]<br />
[-tftp] <br />
-ftp <br />
export xml:<br />
export xml [-tftp] <br />
-ftp <br />
-[console]<br />
export ip:<br />
export ip {blocked|allowed}<br />
[-tftp] <br />
-ftp <br />
flush command<br />
WG#admin<br />
WG(admin)#flush<br />
Effect<br />
Resets all active connections, including SA’s.<br />
Arguments<br />
None.<br />
ha_sync command<br />
WG#admin<br />
WG(admin)#ha_sync<br />
NOTE<br />
This command is available only if the <strong>WatchGuard</strong> appliance<br />
you are currently logged into has High Availability enabled<br />
(using the “config-ha” command), is the Master appliance,<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 31
CHAPTER 2: Administration Mode Commands<br />
and is connected to another security appliance assigned to a<br />
backup role.<br />
Effect<br />
Initiates the <strong>WatchGuard</strong> Firebox Vclass security<br />
appliance hotsync process, which copies the<br />
complete profile (configurations and policies) from<br />
this appliance to a designated backup appliance.<br />
After you restart the backup appliance, your “high<br />
availability” system is ready and active.<br />
Arguments<br />
None<br />
Example<br />
WG(admin)#ha_sync<br />
import command<br />
The import command allows you to import certificates. a<br />
certificate revocation list (CRL), an xml profile, or a list of<br />
blocked or allowed IPs.<br />
cert command<br />
WG#admin<br />
WG(admin)# import cert<br />
[-tftp] <br />
-ftp
crl command<br />
Administration mode commands<br />
WG#admin<br />
WG(admin)# import crl<br />
[-tftp] <br />
-ftp
CHAPTER 2: Administration Mode Commands<br />
ip command<br />
WG#admin<br />
WG(admin)#import ip {blocked|allowed}<br />
{override|merge}<br />
[-tftp] <br />
-ftp <br />
Effect<br />
Imports a list of blocked or allowed IP addresses to<br />
the appliance database.<br />
Prerequisites<br />
The list of IP addresses must be a text file. The<br />
formatting information follows.<br />
For blocked IP, each line of the file should include:<br />
[space] [space]<br />
<br />
specifies the month, day, and<br />
year.<br />
specifies the hour, minute, and<br />
second.<br />
For example, a text file containing the following<br />
lines blocks these sites until the provided<br />
expiration time:<br />
12.11.12.15 8/14/2003 14:00:00<br />
12.13.22.8 10/19/2004 1:21:05<br />
To add blocked sites that do not expire, use only<br />
the IP address.<br />
Arguments<br />
blocked|allowed<br />
Specifies whether to import the contents of the text<br />
file to the blocked IP list, or to the allowed<br />
(exceptions) IP list.<br />
merge|override<br />
34 <strong>WatchGuard</strong> Vclass 5.1
Administration mode commands<br />
Merge merges the new IP addresses into the<br />
existing list of IP addresses.<br />
Override replaces all of the existing IP addresses<br />
with the IP addresses on the imported list.<br />
Example<br />
WG(admin)#WG(admin)# import ip blocked<br />
override –ftp 192.168.216.232:/tmp/<br />
blockedip.txt<br />
operation_mode command<br />
WG#admin<br />
WG(admin)#operation_mode<br />
<br />
Effect<br />
This command changes the system mode to<br />
operate in normal, FIPS, or Common Criteria (CC)<br />
mode.<br />
FIPS mode<br />
FIPS 140-2 is a standard that describes government<br />
requirements that cryptographic hardware or<br />
software products must meet. FIPS certification is<br />
required for products that are sold to the<br />
government.<br />
FIPS mode disables or changes the following<br />
functionality:<br />
- Shell access is disabled (for example, sucode).<br />
- Unprotected remote access is disabled, including<br />
telnet and SSH. To login to the box using telnet<br />
requires a physical connection to the console port.<br />
- Non-qualified algorithms are disabled (MD5).<br />
- SSL3.0 is disabled. Support for TLS is still<br />
included.<br />
- A direct crypto interface to the Rapidcore and<br />
other crypto modules is provided for the startup<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 35
CHAPTER 2: Administration Mode Commands<br />
crypto self-test, and random number generation<br />
can be tested.<br />
- Object reuse is avoided. Keys are zeroed out<br />
when they are no longer in use.<br />
Common Criteria (CC) mode<br />
Common Criteria (CC) defines a language for<br />
defining and evaluating information technology<br />
security systems and products. The framework<br />
provided by Common Criteria allows US<br />
government agencies and other groups to define<br />
sets of specific requirements.<br />
IT security products purchased by the US<br />
Government for National Security Systems, which<br />
handle Classified and some non-Classified<br />
information, are required to be Common Criteria<br />
certified.<br />
Common Criteria mode conforms to EAL4 level.<br />
Common Criteria mode disables or changes the<br />
following functionality:<br />
- HTTPS uses 3DES-SHA1 encryption only.<br />
- User login failure count can be configured, and<br />
users can be locked out after the failure count is<br />
met. See “account command” on page 28 for<br />
more information.<br />
passwd command<br />
WG#admin<br />
WG(admin)#passwd <br />
Effect<br />
Replaces the current “admin” super user access<br />
password text with a new entry. This command<br />
initiates a several-step process in which you will be<br />
prompted to enter the new password twice, before<br />
it takes effect. See “Process” immediately following<br />
for details.<br />
36 <strong>WatchGuard</strong> Vclass 5.1
Administration mode commands<br />
Process<br />
Type a space, then the text of the current password<br />
after the command.<br />
When you press , a “New password:”<br />
prompt is displayed, at which you can type the<br />
new password, using between 6 and 20 characters.<br />
NOTE<br />
ALERT: Please note that no text will appear on-screen as<br />
you type.<br />
When you press to submit the new<br />
password text, a “Reconfirm password:” prompt is<br />
displayed. Retype the same text (during which no<br />
text will appear on-screen.)<br />
When you press , the new password will<br />
be confirmed and stored in the appliance, then<br />
immediately put into effect.<br />
Example<br />
WG(admin)#passwd: <br />
New password: * <br />
# Remember, no text will appear when you type.<br />
Reconfirm password: * <br />
Password change completed!<br />
WG(admin)#<br />
NOTE<br />
Remember to write the new password down and store the<br />
note in a safe place. If you forget the password and lose the<br />
note, contact <strong>WatchGuard</strong> for assistance.<br />
reboot command<br />
WG#admin<br />
WG(admin)#reboot<br />
Effect<br />
Shuts down, then restarts this <strong>WatchGuard</strong> Firebox<br />
Vclass security appliance. You will be<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 37
CHAPTER 2: Administration Mode Commands<br />
automatically logged out of the appliance, but after<br />
a few minutes (and a considerable display of status<br />
messages), the main login prompt will appear. You<br />
can log in again at this time.<br />
Arguments<br />
None.<br />
restore default command<br />
WG#admin<br />
WG(admin)#restore_default<br />
Effect<br />
Reinitializes this appliance and restores the<br />
original “factory default” configuration. Once this<br />
process is complete, you can log in again, then start<br />
over with appliance installation, configuration and<br />
policy creation, either by manual entry or<br />
importing of a profile from another appliance.<br />
Arguments<br />
None.<br />
Results<br />
After applying this command, the <strong>CLI</strong> will<br />
immediately record a series of “restoring” status<br />
messages, along with “please wait…” messages.<br />
When the restoration is complete, the main login<br />
prompt will appear.<br />
You can now log into the appliance with the user<br />
name of “admin” and the password of “admin” to<br />
begin reconfiguration of this appliance.<br />
shutdown command<br />
WG#admin<br />
WG(admin)#shutdown<br />
Effect<br />
38 <strong>WatchGuard</strong> Vclass 5.1
Administration mode commands<br />
Shuts down this <strong>WatchGuard</strong> appliance. You will<br />
be automatically logged out of the appliance, at<br />
which time you can break the <strong>CLI</strong> connection.<br />
Arguments<br />
None.<br />
upgrade command<br />
WG(admin)#upgrade<br />
upgrade [-tftp] <br />
upgrade -ftp <br />
Effect<br />
Upgrades the system software, using a “.rsu” file,<br />
from a specific location.<br />
Example<br />
upgrade -ftp wg:wg@ftp.watchguard.com:/patch/<br />
upgrade.rsu<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 39
CHAPTER 2: Administration Mode Commands<br />
40 <strong>WatchGuard</strong> Vclass 5.1
CHAPTER 3 Configuration Mode<br />
Commands<br />
All <strong>WatchGuard</strong> <strong>CLI</strong> commands are organized into<br />
groups, which are presented as specific command<br />
modes. This chapter covers the commands available in<br />
Configuration Mode.<br />
Top-level configuration mode commands<br />
The following catalog lists the top-level configuration<br />
mode commands, with a description of the arguments<br />
for each command and the values for each argument.<br />
Also included, where applicable, is the sequence of<br />
“config” commands necessary to reach a specific command<br />
level where a particular command can be<br />
entered and used.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 41
CHAPTER 3: Configuration Mode Commands<br />
Command For more information<br />
abort See “abort command” on page 43.<br />
address See “address command” on page 43.<br />
certificate See “certificate command” on page 45.<br />
commit See “commit command” on page 45.<br />
delete See “delete command” on page 45.<br />
denial_of_service See “denial_of_service command” on page 46.<br />
high_availability See “high_availability commands” on page 47.<br />
ike See “ike command” on page 48.<br />
interface See “interface command” on page 49.<br />
ipsec See “ipsec command” on page 49.<br />
license See “license command” on page 49.<br />
log See “log command” on page 50.<br />
nat See “nat command” on page 54.<br />
no See “no command” on page 56.<br />
policy See “policy command” on page 57.<br />
qos See “qos command” on page 60.<br />
ras See “ras command” on page 61.<br />
rename See “rename command” on page 61.<br />
schedule See “schedule command” on page 62.<br />
service See “service command” on page 63.<br />
system See “system command” on page 64.<br />
trace See “trace command” on page 64.<br />
tenant See “tenant command” on page 65.<br />
tunnel_switch See “tunnel_switch command” on page 65.<br />
show See “history command” on page 66.<br />
history See “history command” on page 14.<br />
exit See “exit command” on page 14.<br />
top See “top command” on page 15.<br />
42 <strong>WatchGuard</strong> Vclass 5.1
abort command<br />
Top-level configuration mode commands<br />
WG#config<br />
WG(config)#abort<br />
Effect<br />
Aborts (erases) all system configuration changes<br />
made since the last use of the<br />
WG(config)#commit command. This empties the<br />
cache of to-be-committed changes and additions.<br />
Arguments<br />
None<br />
address command<br />
WG#config<br />
WG(config)#address [+] -host<br />
\<br />
[]… -net []… -range \<br />
[]… \<br />
-group []…<br />
Effect<br />
Creates a new address object or modifies an<br />
existing group, depending upon the use of the “+”<br />
character. This command must start with a new or<br />
existing “name” and can incorporate the following:<br />
(1) a single IP address, (2) a range of IP addresses,<br />
(3) a subnet, and (4) a group of existing address<br />
entries that you may want to combine into a single<br />
entity.<br />
Arguments<br />
<br />
This argument notes a new “name” for this group.<br />
You can then type one or more of the following<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 43
CHAPTER 3: Configuration Mode Commands<br />
addressing arguments, depending upon the<br />
contents of this address.<br />
-host [a.b.c.d]…<br />
This argument notes a single IP address (omitting<br />
subnet information.)<br />
-net [a.b.c.d/e]…<br />
This argument notes a single subnet IP address and<br />
subnet mask (representing all the individual IP<br />
addresses in that subnet.)<br />
-range []<br />
This argument notes a range of IP addresses.<br />
-group [address_name]…<br />
This argument notes a group of existing address<br />
entries that you want to combine into a single<br />
entity.<br />
+<br />
This character, when inserted in the command line<br />
in the proper location, allows you to add a new<br />
address member to an existing group. You must<br />
have the exact name of the group – in its casesensitive<br />
form, prior to adding new entries.<br />
Examples<br />
WG(config)# address my_nets -host<br />
10.10.1.1/16<br />
# Creating a new address group with a single host<br />
WG(config)# address my_nets -range<br />
14.0.2.1- \<br />
14.0.2.125<br />
# Creating a new address group with a range of IP<br />
addresses<br />
WG(config)# address my_nets + -net<br />
10.29.0.0/16<br />
# Add a new address to an existing address group<br />
44 <strong>WatchGuard</strong> Vclass 5.1
certificate command<br />
Top-level configuration mode commands<br />
WG#config<br />
WG(config)#certificate<br />
Effect<br />
Enters the certificate-configuration mode, at which<br />
point you can enter certificate-specific task<br />
commands and their arguments.<br />
Arguments<br />
None in this mode.<br />
See Also<br />
For more information about “certificate” mode<br />
commands, see “Level 2 certificate configuration<br />
commands” on page 67.<br />
commit command<br />
WG#config<br />
WG(config)#commit<br />
Effect<br />
This command applies all uncommitted policy,<br />
system configuration changes, and additions to the<br />
appliance.<br />
Arguments<br />
None<br />
delete command<br />
WG#config<br />
WG(config)#delete <br />
Effect<br />
Deletes a specifically named object, such as an<br />
address group, policy, action, or service.<br />
Arguments<br />
<br />
This argument records the exact name of the to-bedeleted<br />
item.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 45
CHAPTER 3: Configuration Mode Commands<br />
Example<br />
WG(config)#delete address<br />
exec_addresses<br />
# This command deletes an address group named<br />
“exec_addresses”.<br />
WG(config)#delete ike policy "HQ<br />
IKE"<br />
# This command deletes an IKE policy named “HQ<br />
IKE”.<br />
denial_of_service command<br />
WG#config<br />
WG(config)#[no][-icmp [threshold]]<br />
#threshold packet/s;default=1000<br />
[no][-syn [threshold]]<br />
#threshold packet/s;default=5000<br />
[no][-udp [threshold]]<br />
#threshold packet/s;default=1000<br />
[no][-pingofdeath]<br />
[no][-sourceroute]<br />
[no][-server_ddos [threshold]]<br />
#threshold connection/s;default=100<br />
[no][-client_ddos [threshold]]<br />
#threshold connection/s;default=100<br />
Effect<br />
Records your preferences for denial-of-service<br />
defense parameters. You can enter any or all of the<br />
customizable arguments listed below.<br />
Arguments<br />
[no][-icmp ]<br />
Activates ICMP flood protection with a user-noted<br />
threshold noted as packets per second;<br />
default = 1000.<br />
[no][-syn ]<br />
Activates TCP/SYN flood protection with a usernoted<br />
threshold; default=5000.<br />
[no][-udp ]<br />
Activates UDP flood protection with a user-noted<br />
threshold; default=1000.<br />
46 <strong>WatchGuard</strong> Vclass 5.1
Top-level configuration mode commands<br />
[no][-pingofdeath]<br />
Activates ping-of-death protection.<br />
[no][-sourceroute]<br />
Activates source route protection by disallowing<br />
source route options.<br />
[no][-server_ddos ]<br />
Activates server DDOS protection; the default<br />
threshold = 100, which controls the maximum<br />
number of connections permitted to any one<br />
server.<br />
[no][-client_ddos ]<br />
Activates client DDOS protection; the default<br />
threshold=100, which controls the maximum<br />
number of connection requests permitted to a<br />
single client.<br />
no<br />
Enter this before any options you want to<br />
deactivate in this appliance, as shown above.<br />
Example<br />
WG(config)#denial -syn 1000 no -<br />
udp<br />
high_availability commands<br />
NOTE<br />
High Availability commands will not be available to you if<br />
the <strong>WatchGuard</strong> appliance you are administering does not<br />
feature any HA ports. In addition, you need a High<br />
Availability feature license.<br />
Enter high availability configuration mode<br />
WG#config<br />
WG(config)# high_availability<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 47
CHAPTER 3: Configuration Mode Commands<br />
Effect<br />
Enters the high availability (HA) configuration<br />
mode, at which point you can enter HA specific<br />
commands and their arguments.<br />
Arguments<br />
None in this mode.<br />
See Also<br />
For more information about “HA” mode<br />
commands, see “Level 2 High Availability<br />
configuration commands” on page 72.<br />
Disable high availability mode<br />
WG#config<br />
WG(config)#no high_availability<br />
Effect<br />
Disables high availability if it is already in effect.<br />
Arguments<br />
None.<br />
ike command<br />
WG#config<br />
WG(config)#ike<br />
Effect<br />
Enters the IKE configuration mode, at which point<br />
you can enter IKE-specific commands and their<br />
arguments.<br />
Arguments<br />
None in this mode.<br />
See Also<br />
For more information about “IKE” mode<br />
commands, see “Level 2 IKE configuration<br />
commands” on page 78.<br />
48 <strong>WatchGuard</strong> Vclass 5.1
interface command<br />
Top-level configuration mode commands<br />
WG#config<br />
WG(config)#interface<br />
Effect<br />
Enters the system interface configuration mode, at<br />
which point you can enter interface-specific<br />
commands and their arguments.<br />
Arguments<br />
None in this mode.<br />
See Also<br />
See “Level 2 interface configuration commands” on<br />
page 82 for details on specific “interface” mode<br />
commands.<br />
ipsec command<br />
WG#config<br />
WG(config)#ipsec<br />
Effect<br />
Enters the IPSec configuration mode, at which<br />
point you can enter IPSec action- and proposalspecific<br />
commands and their arguments.<br />
Arguments<br />
None in this mode.<br />
See Also<br />
For more information about “IPSec” mode<br />
commands, see “Level 2 IPSec configuration<br />
commands” on page 95.<br />
license command<br />
WG#config<br />
WG(config)#license<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 49
CHAPTER 3: Configuration Mode Commands<br />
Effect<br />
Enters license parameter configuration mode, at<br />
which point you can enter license-specific<br />
commands and their arguments.<br />
Arguments<br />
None in this mode.<br />
See Also<br />
For more information about “license” mode<br />
commands, see “Level 2 license commands (for<br />
upgraded or additional features)” on page 117.<br />
log command<br />
no command (log level)<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#no<br />
<br />
Effect<br />
Disables logging for the specified log.<br />
Arguments<br />
None<br />
Example<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#no traffic<br />
clear all command (log level)<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#no<br />
<br />
Effect<br />
Clears all logs.<br />
50 <strong>WatchGuard</strong> Vclass 5.1
Arguments<br />
None<br />
Example<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#clear_all<br />
diagnostics command (log level)<br />
Top-level configuration mode commands<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#diagnostics [ike ]<br />
#level=1-6<br />
[cmm ]<br />
[ nm ]<br />
[pmm ]<br />
[ ha ]<br />
Effect<br />
Runs log diagnostics for the specified feature.<br />
Arguments<br />
None<br />
Example<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#diagnostics ha 1<br />
[no] event command (log level)<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)# [no] event<br />
<br />
Effect<br />
Turns logging on (or off, if the command is<br />
preceded by “no”) for the specified error level.<br />
Arguments<br />
None<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 51
CHAPTER 3: Configuration Mode Commands<br />
Example<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#event administration<br />
[no] remote command (log level)<br />
WG(config-log)#[no] remote <br />
[default]<br />
[-alarm <br />
]<br />
[-event <br />
]<br />
[-traffic <br />
]<br />
[-p1sa <br />
]<br />
[-p2sa <br />
]<br />
[-ras <br />
]<br />
# facility:=<br />
[auth|authpriv|cron|daemon|ftp|kern|lpr|ma<br />
il<br />
#<br />
|news|syslog|user|uucp|local0|local1|...|l<br />
ocal7]<br />
# priority:=<br />
[original|debug|info|notice|warning<br />
# |err|Crit|alert|emerg]<br />
Effect<br />
Turns remote logging on or off for the specified<br />
logs and error levels.<br />
Arguments<br />
None<br />
Example<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#remote 10.10.10.99 default<br />
52 <strong>WatchGuard</strong> Vclass 5.1
[no] traffic command (log level)<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#[no] traffic<br />
Effect<br />
Turns the traffic log on or off.<br />
Arguments<br />
None<br />
Example<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#traffic<br />
history command (log level)<br />
Top-level configuration mode commands<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#history<br />
Effect<br />
Shows up to the last 20 commands.<br />
Arguments<br />
None<br />
Example<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#history<br />
rename command (log level)<br />
WG#config<br />
WG(config)#log<br />
WG(config-log)#rename<br />
address rename address groups<br />
ike rename IKE actions/<br />
policies<br />
ipsec rename IPSec actions/<br />
proposals<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 53
CHAPTER 3: Configuration Mode Commands<br />
nat rename NAT actions<br />
policy rename security<br />
policies<br />
qos rename QoS actions<br />
ras rename RAS group<br />
schedule rename schedule actions<br />
service rename service groups<br />
Effect<br />
Allows you to rename various items.<br />
See also<br />
See “rename command” on page 61.<br />
nat command<br />
WG#config<br />
WG(config)#nat [-static_nat ]| \<br />
[-vip<br />
-<br />
server [+] \<br />
{ [weight]}…>]<br />
Effect<br />
Records a new NAT action for use in security<br />
policies. You can create one of three possible NAT<br />
actions, choosing from VIP, DNAT or Static NAT.<br />
Arguments<br />
<br />
If this is to be a load-balancing or static NAT action,<br />
enter a short, distinctive name for this new action<br />
following the NAT command prompt.<br />
-static_nat < -external ><br />
\<br />
<br />
54 <strong>WatchGuard</strong> Vclass 5.1
Top-level configuration mode commands<br />
(For one-to-one and subnet-to-subnet mapping)<br />
This argument specifies (1) that this is a static NAT<br />
action, and records the address groups associated<br />
with the internal and external sources. The address<br />
groups can be single IP addresses or subnets.<br />
-vip | -<br />
server [+] \<br />
{ [IP address] …<br />
}><br />
This argument specifies that this is a loadbalancing<br />
(virtual IP) NAT action, and records (1)<br />
the algorithm that will be applied and (2) the server<br />
addresses and port numbers. If a weighted<br />
algorithm is used, this argument adds (3) the perserver<br />
weight assignments.<br />
The load-balancing algorithm argument values<br />
include the following entries:<br />
round_robin: Denotes the round robin algorithm<br />
wround_robin: Denotes weighted round robin<br />
random: Denotes random<br />
wrandom: Denotes weighted random<br />
least_connection: Denotes least connection<br />
wleast_connection: Denotes weighted least<br />
connection<br />
TIP<br />
If you are adding a new server/weight to an<br />
existing VIP NAT action, prefix the new server<br />
record with a “+” character.<br />
If you are entering the “server” argument, you<br />
must note (1) the IP address of the server, the port<br />
number it will watch and the proportion of traffic<br />
this server will be assigned, noted as a whole<br />
number.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 55
CHAPTER 3: Configuration Mode Commands<br />
NOTE<br />
Note that dynamic NAT is already present in the<br />
<strong>WatchGuard</strong> database by default, and is ready for use in<br />
security policies. You can specify “dynamic_nat” as the NAT<br />
action when you create the appropriate policies<br />
Examples<br />
WG(config)#nat load_balancing –vip<br />
wround –server \<br />
{10.10.0.100 80 1} {10.10.0.101 80 2} \<br />
{10.10.0.102 80 3}<br />
WG(config)#nat natS -stat -ext pub1 -int<br />
\<br />
web_server1<br />
Record dynamic security policy IP NAT action<br />
WG#config<br />
WG(config)#nat [-dynamic_nat<br />
]<br />
Effect<br />
Records a new dynamic IP NAT action for use in<br />
security policies. You can create one of two<br />
possible DNAT options, choosing from the default<br />
IP address for interface 1 or a user-designated IP<br />
address<br />
Arguments<br />
<br />
If this is to be a user-designated IP address DNAT<br />
action, enter the IP address of your choice as the<br />
command argument. If you are using the default<br />
interface 1 IP address, enter that in the argument.<br />
no command<br />
WG#config<br />
WG(config)#no<br />
high_availability disable high<br />
availability<br />
56 <strong>WatchGuard</strong> Vclass 5.1
Top-level configuration mode commands<br />
Effect<br />
Disables the high availability feature.<br />
Arguments<br />
None<br />
Example<br />
WG#config<br />
WG(config)#no high_availability<br />
policy command<br />
WG#config<br />
WG(config)#policy<br />
policy [ ]<br />
[-position ]<br />
[-firewall ]<br />
[
CHAPTER 3: Configuration Mode Commands<br />
destination address groups to which this policy<br />
will be applied.<br />
<br />
This argument records the interface this policy will<br />
apply to.<br />
[-position ]<br />
This argument records which numbered location<br />
this policy occupies in the policy table.<br />
[-firewall ]<br />
This argument allows you to specify which firewall<br />
option to apply.<br />
[]<br />
These arguments allow you to combine various<br />
preexisting actions in this one policy, including:<br />
-service: Enter the name of a service group<br />
after this argument.<br />
-tenant: Enter the name of a tenant object after<br />
this argument.<br />
-nat: Enter the name of a NAT action after this<br />
argument.<br />
-qos: Enter the name of a QoS action after this<br />
argument.<br />
-schedule: Enter the name of a schedule after<br />
this argument.<br />
-ipsec: Enter the name of an IPSec action after<br />
this argument.<br />
[{-tosF | -tosR} ]<br />
This argument records the TOS marking direction<br />
and marking bit. “bbbbbb” represents the six bit<br />
58 <strong>WatchGuard</strong> Vclass 5.1
Top-level configuration mode commands<br />
positions that you can choose from. You pick a<br />
location and enter a “1” to mark that bit.<br />
[-log_per_policy [enable|disable] ]<br />
This argument allows you to enable or disable<br />
logging on a per-policy basis.<br />
[-icmp_error_handling_per_policy<br />
[[global | all] |<br />
[[no] fragmentation_required]<br />
[[no] time_exceeded]<br />
[[no] network_unreachable]<br />
[[no] host_unreachable]<br />
[[no] port_unreachable] ]<br />
This argument allows you to implement ICMP<br />
error handling per policy, and specify error<br />
handling options.<br />
[-mss_adjustment_per_policy [auto|<br />
limit_to |disable|use_global]]<br />
This argument allows you to specify a per-policy<br />
TCP Maximum Segment Size. See<br />
“mss_adjustment” on page 112 for more<br />
information on these settings. To use the global<br />
settings, use the argument use_global.<br />
Examples<br />
WG(config)#policy Allow_Outbound Any<br />
Any \<br />
interface 0 -firewall pass -nat<br />
DYNAMIC_NAT <br />
WG(config)#policy HQ_BR_VPN HQ BR<br />
interface 0 \<br />
-firewall pass -ipsec bi HQ_IPsec<br />
<br />
WG(config)#policy SJ_NY_VPN SJ NY<br />
interface 1 \<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 59
CHAPTER 3: Configuration Mode Commands<br />
-firewall pass -ipsec SJ_NY_IPSec<br />
<br />
WG(config)#policy SJ_LA_VPN \<br />
-mss_adjustment_per_policy \<br />
limit_to 1400<br />
WG(config)#policy SJ_NY_VPN \<br />
-icmp_error_handling_per_policy all<br />
WG(config)#policy SJ_NY_VPN -position 5<br />
<br />
The previous example shows a relocation of policy<br />
SJ_NY_VPN to the fifth position (row) in the policy<br />
table.<br />
NOTE<br />
You can combine a range of actions (“-vlan”, -“ipsec”, “nat”,<br />
“-schedule”, etc.) in a single policy, as needed. For<br />
more information on policy action combinations, especially<br />
to determine what will and what won’t work, see the User<br />
<strong>Guide</strong>.<br />
qos command<br />
WG#config<br />
WG(config)#qos<br />
Effect<br />
Enters the Quality of Service (QoS) configuration<br />
mode, at which point you can enter QoS actionspecific<br />
task commands and their arguments.<br />
Arguments<br />
None in this mode.<br />
See Also<br />
For more information about “QoS” mode<br />
commands, see “Level 2 Quality of Service (QoS)<br />
configuration commands” on page 100.<br />
60 <strong>WatchGuard</strong> Vclass 5.1
as command<br />
Top-level configuration mode commands<br />
WG#config<br />
WG(config)#ras<br />
Effect<br />
Enters the remote access services (RAS)<br />
configuration mode, at which point you can enter<br />
RAS connection-specific commands and their<br />
arguments.<br />
Arguments<br />
None in this mode.<br />
See Also<br />
See “Level 2 Remote Access Service (RAS)<br />
configuration commands” on page 102 for details<br />
on specific “RAS” mode commands.<br />
rename command<br />
WG#config<br />
WG(config)#rename \<br />
<br />
Effect<br />
Substitutes a new name for an existing object name.<br />
Arguments<br />
<br />
Use this argument to enter the type of object this<br />
name is applied to, whether (for example) an IPSec<br />
action, an address group, a RAS user profile, etc.<br />
<br />
Use this command to enter the existing name.<br />
<br />
Use this command to enter the new name.<br />
Example<br />
WG(config)#rename address eng_net<br />
engineering<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 61
CHAPTER 3: Configuration Mode Commands<br />
schedule command<br />
WG#config<br />
WG(config)#schedule<br />
[-all| \<br />
-mon|-tue|-wed|-thu|-fri|-sat|-sun]<br />
{hr:min-hr:min \<br />
[hr:min-hr:min ][hr:min-hr:min ][hr:minhr:min<br />
]}<br />
Effect<br />
Use this command to set up a schedule for use in<br />
the application of policies. Schedules can be set up<br />
for the same hours for every day or for different<br />
daily schedules, depending upon the arguments.<br />
Arguments<br />
<br />
Type a short, descriptive name for this schedule.<br />
<br />
This argument specifies whether this schedule is<br />
currently active or not.<br />
-<br />
This argument defines the days of the week. The<br />
values can either be noted as “all” for all seven<br />
days, or include any combination of days of the<br />
week–mon, tue, wed, thu, fri, sat, and sun.<br />
{hour:minute-hour:minute}<br />
This argument (which can be repeated for different<br />
blocks of time) should note a range of hours, such<br />
as “9:00-12:00” (which indicates 9:00am to Noon.)<br />
Be sure to wrap the range in curly brackets, as<br />
shown in the examples below. Hours must be<br />
converted to and noted in military time–<br />
according to the 24-hour clock.<br />
TIP<br />
A midnight start time should be entered as “0:00”.<br />
62 <strong>WatchGuard</strong> Vclass 5.1
Top-level configuration mode commands<br />
Example<br />
WG(config)#schedule workdays -mon \<br />
{8:00-12:00 13:00-19:00} (line break) -<br />
fri \<br />
{9:00-12:00} enable<br />
WG(config)#schedule 24_7 -all {0:00-<br />
24:00}<br />
service command<br />
WG#config<br />
WG(config)#service [+] \<br />
<br />
Effect<br />
Records a new service entry (individual or group)<br />
for use in policies. The service must be noted as<br />
either a “single” service, a “range” of port numbers<br />
for a single service, or, as a “group” of existing<br />
related services.<br />
Arguments<br />
<br />
Enter the name of this new service or group.<br />
-single { }<br />
Use this argument to note the protocol and port<br />
number of a single service.<br />
-range { }<br />
Use this argument to note the protocol and two or<br />
more port numbers for a single service.<br />
-group { [<br />
\<br />
]}<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 63
CHAPTER 3: Configuration Mode Commands<br />
Use this argument to note the names of two or<br />
more related services.<br />
+<br />
Use this argument (the “+” character) to add an<br />
additional service to an existing group.)<br />
Examples<br />
WG(config)# service ldap -single tcp 389<br />
WG(config)# service my_app -range tcp<br />
6000-6006<br />
WG(config)# service my_app + -single udp<br />
6010<br />
WG(config)# service email -group<br />
"mail_SMTP" \<br />
-group "POP3"<br />
system command<br />
WG#config<br />
WG(config)#system<br />
Effect<br />
Enters system parameter configuration mode, at<br />
which point you can enter system-specific<br />
commands and their arguments.<br />
Arguments<br />
None in this mode.<br />
See Also<br />
For more information about “system” mode<br />
commands, see “Level 2 System Configuration<br />
commands” on page 107.<br />
trace command<br />
WG#config<br />
WG(config)#trace [ike ] #level=1-6<br />
[cmm ]<br />
[ nm ]<br />
[pmm ]<br />
[ ha ]<br />
64 <strong>WatchGuard</strong> Vclass 5.1
Top-level configuration mode commands<br />
Effect<br />
Runs a trace for the specified object.<br />
Arguments<br />
None in this mode.<br />
tenant command<br />
WG#config<br />
WG(config)#tenant<br />
Effect<br />
Enters the tenant configuration mode, at which<br />
point you can record a new tenant entry for either a<br />
VLAN or user-domain tenant.<br />
Arguments<br />
None in this level.<br />
See Also<br />
See “Level 2 tenant configuration commands” on<br />
page 119 for more information about the next level<br />
of tenant commands.<br />
tunnel_switch command<br />
WG#config<br />
WG(config)#tunnel_switch <br />
Effect<br />
Enables (or disables) the tunnel switching<br />
capability of this <strong>WatchGuard</strong> appliance, according<br />
to the specific argument. (Must be done before<br />
applying specific tunnel-switching security<br />
policies.)<br />
Arguments<br />
<br />
The default state is “disable”.<br />
Example<br />
WG(config)#tunnel_switch enable<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 65
CHAPTER 3: Configuration Mode Commands<br />
history command<br />
WG#config<br />
WG(config)#history<br />
Effect<br />
Shows the last 20 commands exercised at this level<br />
of <strong>CLI</strong>. Note, too, that you can apply it at any level<br />
of the <strong>CLI</strong>.<br />
For example, you may apply the “history”<br />
command after extensive policy creation, and see a<br />
series of 20 commands, starting with “64” and<br />
ending with “83”–the most recent command<br />
being listed as 83.<br />
Arguments<br />
None<br />
Example<br />
WG(config)#history<br />
Results<br />
Executed Commands:<br />
0 ike<br />
1 address<br />
2 address "pubs" -host 10.10.99.1<br />
3 show address pubs<br />
4 dos<br />
5 denial<br />
WG(config)#<br />
Second level configuration mode commands<br />
The following sections detail the second-level configuration<br />
commands, has been divided into “task” or “topical”<br />
collections, which include the following:<br />
• “Level 2 certificate configuration commands” on<br />
page 67<br />
66 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
• “Level 2 High Availability configuration commands”<br />
on page 72<br />
• “Level 2 IKE configuration commands” on page 78<br />
• “Level 2 interface configuration commands” on<br />
page 82<br />
• “Level 2 IPSec configuration commands” on page 95<br />
• “Level 2 license commands (for upgraded or additional<br />
features)” on page 117<br />
• “Level 2 Quality of Service (QoS) configuration<br />
commands” on page 100<br />
• “Level 2 Remote Access Service (RAS) configuration<br />
commands” on page 102<br />
• “Level 2 System Configuration commands” on<br />
page 107<br />
• “Level 2 tenant configuration commands” on page 119<br />
Level 2 certificate configuration commands<br />
request command (configure certificate level)<br />
WG#config<br />
WG(config)#certificate <br />
WG(config-cert)#request -company<br />
\<br />
[-country] [-department ]<br />
-dns_name \<br />
[-ip_address ] [user_domain<br />
\<br />
] [-key_usage {<br />
\<br />
}]<br />
Effect<br />
Generates a VPN certificate request that can be sent<br />
to a certifying authority. After executing this<br />
command (with the required arguments), you must<br />
cut the resulting certificate text and paste it into the<br />
relevant form: an e-mail message, a Web-site<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 67
CHAPTER 3: Configuration Mode Commands<br />
request or a text file, that you transmit to the<br />
proper authority.<br />
Arguments<br />
<br />
This argument notes the host name of this<br />
appliance (omitting the remainder of the DNS<br />
entry.)<br />
-company <br />
This argument notes the name of your company or<br />
organization.<br />
-country <br />
This argument notes the name (or official<br />
abbreviation) of your country's name. The default<br />
is “US”.<br />
-department <br />
This optional argument notes the specific<br />
department name.<br />
-dns_name <br />
This argument notes the fully qualified DNS name<br />
of this appliance.<br />
-ip_address <br />
This argument notes the IP address of this<br />
appliance’s interface 1.<br />
-user_domain <br />
This argument notes a user domain name, if any.<br />
-key_usage { <br />
}<br />
This argument notes the key usage particulars,<br />
including RSA or DSA and the key length in bits.<br />
This argument also notes your choice of encryption<br />
or signature (or both.)<br />
Example<br />
WG(config-cert)request -cert1 -com<br />
BigCompany \<br />
68 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
-cou US -dns RS1.<strong>WatchGuard</strong>.com -key \<br />
{rsa 1024 both}<br />
If this command is successful, the <strong>CLI</strong> will prompt<br />
you to cut and paste the results into the<br />
appropriate means of submitting this request to the<br />
authority.<br />
import command (configure certificate level)<br />
WG#config<br />
WG(config)#certificate <br />
WG(config-cert)#import <br />
Effect<br />
Assists in the importing of the contents of a newlyreceived<br />
VPN or Web certificate into the<br />
<strong>WatchGuard</strong> appliance database.<br />
To import a certificate, you must open the<br />
certificate file and copy the text, then paste it into<br />
the command in the proper location, as shown in<br />
the following example.<br />
Arguments<br />
None.<br />
Examples<br />
WG(config-cert)# import<br />
Results<br />
On-screen instructions appear, as shown here.<br />
Paste certificate below, then press<br />
Enter.<br />
-----BEGIN CERTIFICATE-----<br />
MIIC1jCCAj+gAwIBAgIDBJYLMA0GCSqGSIb3DQE<br />
BBAUAMCgxCzAJBgNVBAYTAlVTMRkwFwYDVQQKEx<br />
BSYXBpZFN0cmVhbSBJbmMuMB4XDTAxMDIxOTA0M<br />
jAyNVoXDTAxMDUyMDA0MjAyNVowOzELMAkGA1UE<br />
BhMCVVMxGTAXBgNVBAoTEFJhcGlkU3RyZWFtQ8D<br />
CCtvvThQ2ug==<br />
-----END CERTIFICATE-----<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 69
CHAPTER 3: Configuration Mode Commands<br />
show command (configure certificate level)<br />
WG#config<br />
WG(config)#certificate <br />
WG(config-cert)#show [cert_id]<br />
Effect<br />
Displays the properties of a specific certificate or a<br />
certificate request. If no “specific certificate”<br />
argument is used, this command lists all the<br />
current certificates and pending certificate<br />
Arguments<br />
[cert_id]<br />
This optional argument records a specific<br />
certificate ID.<br />
Examples<br />
WG(config-cert)# show<br />
OrdTYPE NAMESubjectCert idKeyAlgo<br />
1 Pndg cn=a,o=<strong>WatchGuard</strong>,c=US<br />
cn=a,o=<strong>WatchGuard</strong>,<br />
c=20001 RSA<br />
2 CA o=<strong>WatchGuard</strong> Inc.,c=US o=<strong>WatchGuard</strong><br />
Inc.,<br />
c=U 1075246528 RSA<br />
—OR—<br />
WG(config-cert)# show 20001<br />
Pending Certificate<br />
Name:cn=a,o=rapidstreaym,c=US<br />
Subject:cn=a,o=rapidstreaym,c=US<br />
Cert ID:20001<br />
DNS Name:<strong>WatchGuard</strong>.com<br />
Key Algorithm:RSALength: 1024<br />
Key Usage:both<br />
Issued by:<br />
Valid Period:-<br />
-----BEGIN CERTIFICATE REQUEST-----<br />
MIIBvzCCASgCAQAwMDELMAkGA1UEBhMCVVMxFTA<br />
TBgNVBAoTDHJhcGlkc3RyZWF5bTEKMAgGA1UEAx<br />
70 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
MBYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCg<br />
YEAuMih4lNe7UH8+DVTHRD2lTf+tYcCvWbExscA<br />
hhZd92ipnxdeelulzhhPj8ICcxnFTmVtkx70Dlp<br />
Sx5Do20rY+BqDgPjasG7wdeQDpT94KmbBYBjYbY<br />
tX1e1mukxXi546D2JNHYEqQJmTFTNYuono4eUNI<br />
48LfLJQ5xZVj7cCAwEAAaBPME0GCSqGSIb3DQEJ<br />
DjFAMD4wCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAo<br />
GCCsGAQUFCAICMBoGA1UdEQQTMBGCD3JhcGlkc3<br />
RyZWFtLmNvbTANBgkqhkiG9w0BAQQFAAOBgQBFA<br />
tGzBt6JIK2SfOUjnFXTYS09N9kKPjYe9SMOgCkg<br />
K30SbOIcSdWK92liT93XxE+ZXGiqvtCe49YF4lS<br />
0sqeF9ssFLlK8gOLYalT1K1uJqHkthVJosa06n0<br />
wLDvFYsJNZ4Y7FayvTVQAp+5zBo+5mkkzsgN3q7<br />
TlNR5B1zDrFA==<br />
-----END CERTIFICATE REQUEST-----<br />
ssl command (configure certificate level)<br />
WG#config<br />
WG(config)#certificate <br />
WG(config-cert)#ssl <br />
Effect<br />
Creates a Web (SSL) certificate request for this<br />
appliance. After the request is generated, you must<br />
copy-and-paste the text to a text file and send it to a<br />
third party CA as part of a formal request for a Web<br />
certificate.<br />
Arguments<br />
<br />
Use this argument to enter either the IP address or<br />
host name of this security appliance.<br />
Example<br />
WG(config-ssl)# ssl rs101<br />
Creating certificate request could take<br />
several minutes.<br />
Please wait…<br />
-----BEGIN CERTIFICATE REQUEST-----<br />
MIIBbTCB1wIBADAQMQ4wDAYDVQQDEwVyczEwMTC<br />
BnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyr<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 71
CHAPTER 3: Configuration Mode Commands<br />
3Tg/<br />
jHZMiI9MaleoizYygY5rWtipDCUCmop6ZeR/<br />
q8uhrhBDjikB6j02CMXQFE6eCWNFqC8CjzHqWY2<br />
v+IPPoyDBOrfGHl4Icn8/<br />
ZZNJIv4lXAeSmhDqSo9tqrUVKlyh/TD/<br />
6JF9x2v3GaVNUZEmk5+LTT/iEdCrehhr/<br />
YfxECAwEAAaAeBHn/nu1msTyGjzqtP42IzQM/<br />
6YTj2uHMGPF/Y8FTYgCE<br />
-----END CERTIFICATE REQUEST-----<br />
Level 2 High Availability configuration<br />
commands<br />
show command (configure high availability level)<br />
WG#config<br />
WG(config)#high_availability <br />
WG(config-ha)#show<br />
Effect<br />
Displays the configuration settings for any High<br />
Availability ports in this <strong>WatchGuard</strong> appliance.<br />
Arguments<br />
None<br />
72 <strong>WatchGuard</strong> Vclass 5.1
Example<br />
Second level configuration mode commands<br />
WG(config-ha)#show<br />
HA Type: Active_Active<br />
Primary System Name =2026<br />
Secondary System Name =2027<br />
No Shared Secret<br />
Interfaces Primary IP Mask Secondary IP Mask<br />
Monitoring<br />
0: 192.168.104.64 255.255.255.0 192.168.104.65 255.255.255.0 ON<br />
1: 192.128.134.32 255.255.255.0 192.128.134.33 255.255.255.0 ON<br />
2: 30.0.0.1 255.0.0.0 30.0.0.8 255.0.0.0 OFF<br />
3: 40.0.0.1 255.0.0.0 40.0.0.2 255.0.0.0 OFF<br />
Advanced HA Parameters: HA1:Enabled HA2:Disabled<br />
Primary<br />
HA1 IP 1.0.0.1 netmask 255.255.255.0<br />
HA2 IP 10.10.10.26 netmask 255.255.0.0<br />
Secondary<br />
HA1 IP 1.0.0.3 netmask 255.255.255.0<br />
HA2 IP 10.10.10.27 netmask 255.255.0.0<br />
HA Status<br />
HA Role: Primary<br />
DB Time Stamp:<br />
Primary: Thu Dec 5 16:38:58 2002<br />
Secondary: Thu Dec 5 16:38:58 2002<br />
Status: Primary: ACTIVE Secondary: ACTIVE<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 73
CHAPTER 3: Configuration Mode Commands<br />
Enable high availability<br />
WG#config<br />
WG(config)#high_availability <br />
WG(config-ha)$<br />
[active_standby | active_active]<br />
[advanced] Enter Advanced<br />
Setting Mode<br />
[disable]<br />
[hotsync]<br />
[monitor ]<br />
[ [interface N ip ] |<br />
[-name systemName2] ]<br />
[no][shared_secret secret1]<br />
show show current configuration<br />
and statistics<br />
history show command history<br />
exit go back to parent level<br />
top go back to root level<br />
Effect<br />
Enables high availability in <strong>WatchGuard</strong><br />
appliances with one or more HA interfaces, and<br />
assists you in entering precise HA system settings.<br />
Arguments<br />
active_standby | active_active<br />
This turns high availability on in either Active/<br />
Standby mode or Active/Active mode. For more<br />
information on these modes, see the Vcontroller<br />
User <strong>Guide</strong>.<br />
advanced<br />
This enters advanced High Availability<br />
configuration mode, and shows the following<br />
prompt:<br />
WG(config-ha-advanced)$<br />
74 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
For more information, see “High Availability<br />
advanced configuration mode” on page 77<br />
disable<br />
Disables High Availability.<br />
hotsync<br />
Syncs the local appliance with its peer. In Active/<br />
Standby mode a hotsync should be performed<br />
every time the configuration of the Active box is<br />
changed. In Active/Active mode, a hotsync should<br />
only be performed during the initial setup, when<br />
the secondary appliance is in factory default<br />
configuration.<br />
monitor {1 & | 2}<br />
This optional command specifies which interface (1<br />
or 2) you want this appliance to monitor for link<br />
status. (Note that the 0 (private) interface is always<br />
being monitored.)<br />
[interface N<br />
ip ] |<br />
[-name systemName2] ]<br />
[no][shared_secret secret1]<br />
ha1_interface \<br />
<br />
This command configures the IP address of the<br />
HA1 interface of the master and backup<br />
appliances.<br />
ha2_interface \<br />
<br />
This command configures the IP address of the<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 75
CHAPTER 3: Configuration Mode Commands<br />
HA2 interface of the master and backup<br />
appliances–if needed.<br />
<br />
This command will, depending on your use,<br />
activate or deactivate the HA system.<br />
polling_interval <br />
This optional command establishes the HA polling<br />
interval. The default value is “1 second”, but you<br />
can increase it to “15” if you choose.<br />
id <br />
This optional command notes the VRRP group ID<br />
for this HA pairing, if one has been assigned to it.<br />
The number should be between 1 and 255.<br />
Example<br />
WG(config-ha)# monitor {pub} poll<br />
5<br />
Apply high availability configuration changes<br />
WG#config<br />
WG(config)#high_availability <br />
WG(config-ha)#exit<br />
Effect<br />
Initiates the process of saving and applying any<br />
just-completed HA interface configurations. You<br />
will be asked to confirm the committing of these<br />
changes, at which time you can press Y to do so.<br />
Arguments<br />
None<br />
Example<br />
WG(config-ha)#exit<br />
Commit (Y/N)?y<br />
…<br />
HA IP address is set to 12.10.1.2,<br />
please wait for it to take effect…<br />
WG(config-ha)#<br />
76 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
High Availability advanced configuration mode<br />
WG#config<br />
WG(config)#high_availability <br />
WG(config-ha)#advanced<br />
WG(config-ha-advanced)#<br />
[action ]<br />
[ha2 ]<br />
[primary ip ]<br />
[secondary |<br />
]<br />
show show current<br />
configuration and statistics<br />
history show command<br />
history<br />
rename rename an object<br />
exit go back to parent<br />
level<br />
top go back to root<br />
level<br />
Effect<br />
Allows you to configure advanced settings for<br />
High Availability.<br />
Arguments<br />
action <br />
Allows you to manually failover or restart the local<br />
or peer appliance of the HA pair. The local<br />
appliance is the one you are connected to, and the<br />
peer is its HA pair.<br />
ha2 <br />
Allow you to enable the HA2 port for HA use.<br />
When this is enabled, and the HA2 ports are<br />
connected between the two appliances, in addition<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 77
CHAPTER 3: Configuration Mode Commands<br />
to the HA1 ports, an added level of redundancy is<br />
insured.<br />
primary ip <br />
secondary | <br />
This allows you to set the IP addresses and<br />
netmasks for the primary and secondary device’s<br />
HA ports.<br />
Example<br />
WG#config<br />
WG(config)#high_availability <br />
WG(config-ha)#advanced<br />
WG(config-ha-advanced)#primary ha1 ip \<br />
10.10.10.11|255.255.0.0 \<br />
secondary ha1 ip 10.10.10.12<br />
Level 2 IKE configuration commands<br />
action command (configure IKE level)<br />
WG#config<br />
WG(config)#ike <br />
WG(config-ike)#action \<br />
[no]<br />
[-natt [-natt_keepalive<br />
] ]<br />
[extended_authentication] [+] \<br />
-rsa<br />
{} \<br />
-dss {} \<br />
-preshared<br />
{
Second level configuration mode commands<br />
Arguments<br />
<br />
Enter the name of this action prior to recording the<br />
arguments.<br />
<br />
This argument specifies your choice of mode.<br />
[-natt [-natt_keepalive<br />
]]<br />
-natt enables or disables NAT Traversal (UDP<br />
encapsulation).<br />
-natt_keepalive allows you to specify the time<br />
in seconds between keep-alive messages.<br />
[extended_authentication]<br />
This argument, when present, activates extended<br />
authentication, used for remote access connection<br />
requests.<br />
-rsa<br />
{}<br />
This argument and its values detail the RSA IKE<br />
transform.<br />
-dss { \<br />
&| lifesize[KB|MB]>}<br />
This argument and its values detail the DSS IKE<br />
transform.<br />
-preshared {<br />
\<br />
}<br />
This argument and its values specify the preshared<br />
key IKE transform. In all of the three<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 79
CHAPTER 3: Configuration Mode Commands<br />
preceding arguments, the following values are<br />
options you can apply:<br />
Option Description<br />
g1 and g2 the two Diffie-Hellman group options.<br />
des|3des represent two encryption algorithm options.<br />
md5|sha represent two other encryption algorithm options.<br />
Lifetimeminutes/hours<br />
represent a key lifetime setting, measured in time.<br />
Lifesize-KB/MB represent a key lifetime, measured in kilo- or<br />
megabytes.<br />
Example<br />
WG(config-ike)#action my_act -main \<br />
(line break)<br />
–rsa {g2 3des md5 10hr 100MB} {g1 des<br />
sha 45min} \<br />
–dss {g2 3des sha 8hr}<br />
policy command (configure IKE level)<br />
WG#config<br />
WG(config)#ike <br />
WG(config-ike)#policy \<br />
-action<br />
\<br />
-peer \<br />
[-local<br />
{} [-preshared ]<br />
\<br />
[-position ]<br />
Effect<br />
Records a new IKE policy, including actions.<br />
80 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
Arguments<br />
<br />
This argument records a brief, descriptive name for<br />
this policy.<br />
< * |peer_address><br />
This argument notes either “any” (indicated by *)<br />
or the address group representing the peer<br />
appliance(s).<br />
-action <br />
This argument notes the name of the IKE action<br />
used by this policy.<br />
-peer | -address &| -<br />
domain \<br />
&| -user_domain <br />
&| -X.500 \<br />
0]<br />
This argument specifies the means of identifying<br />
the peer appliance from these five options. You can<br />
enter “any” as the sole option or combine any of<br />
these options (and values) in this argument:<br />
Option Description<br />
represents an address group used as peer ID type.<br />
represents a domain name as the peer ID type.<br />
represents a user domain name as the peer ID<br />
type.<br />
represents X.500 as the peer ID type.<br />
[-local { This optional argument specifies which ID<br />
}] for -peer, as noted above.<br />
[-preshared This optional argument records the text of<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 81
CHAPTER 3: Configuration Mode Commands<br />
Option Description<br />
] this policy. You must enter the actual key text as<br />
either ASCII text or hexadecimal notation.<br />
[-position This argument records the numeric<br />
] position assigned to this policy in the IKE policy<br />
table.<br />
Example<br />
WG(config-ike)#policy "Remote Users" * -<br />
action \<br />
remote_users -peer -domain<br />
<strong>WatchGuard</strong>.com \<br />
-user_domain <strong>WatchGuard</strong>.com -local<br />
{20001 domain}<br />
WG(config-ike)#policy IKE_NY_SJ<br />
NY_Gateway \<br />
-action psk_main -peer any -preshared \<br />
"secret"<br />
Level 2 interface configuration commands<br />
Enter system interface configuration mode<br />
WG#config<br />
WG(config)#interface<br />
Effect<br />
Enters the system interface configuration mode.<br />
Arguments<br />
None. Please review the rest of this section for<br />
related commands.<br />
show command (configure interface level)<br />
WG#config<br />
WG(config)#interface<br />
WG(config-if)#show<br />
82 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
Effect<br />
Displays the current network address settings for<br />
each of the main security appliance data<br />
interfaces–0 (private), 1 (public) or 2 (DMZ, where<br />
applicable.)<br />
Arguments<br />
None.<br />
Example<br />
WG(config-if)# show<br />
The results appear as shown in this example:<br />
interface 0: ip = 10.10.13.101<br />
net<br />
mask = 255.255.0.0<br />
status = UP<br />
mac<br />
address = 00:01:21:10<br />
:01:e5<br />
interface 1: ip = 16.10.203.121<br />
net<br />
mask = 255.255.255.0<br />
status = DOWN<br />
mac<br />
address = 00:01:21:10<br />
:01:e6<br />
interface 2: ip = 10.20.0.1<br />
net<br />
mask = 255.255.255.0<br />
status = DOWN<br />
mac<br />
address = 00:01:21:10<br />
:01:e7<br />
interface 0 command (configure interface level)<br />
WG#config<br />
WG(config)#interface<br />
WG(config-if)#interface 0 [ [-mtu<br />
num]<br />
[-100_full_duplex | -<br />
100_half_duplex|<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 83
CHAPTER 3: Configuration Mode Commands<br />
-10_full_duplex|-10_half_duplex<br />
| -auto]] |<br />
[[no] dhcp_server -clients num [-lease_time num<br />
[hours|days]]]<br />
[dhcp_relay ]<br />
# -lease_time default is 7 days<br />
Effect<br />
Use this command to configure the network<br />
identity of a <strong>WatchGuard</strong> appliance's interface 0<br />
(Private).<br />
Arguments<br />
<br />
This argument records the IP address assigned to<br />
this interface.<br />
<br />
This argument records the number of bits in the<br />
subnet mask (for example, “/16” is equivalent to<br />
the address 255.255.0.0), or the actual subnet mask<br />
address.<br />
-mtu num<br />
This allows you to set the size of the Maximum<br />
Transmission Unit (MTU). The default is 1500<br />
bytes.<br />
[-100_full_duplex | -100_half_duplex|<br />
-10_full_duplex|-10_half_duplex | -<br />
auto]] |<br />
This setting allows you to specify the speed at<br />
which the interface will operate.<br />
[[no] dhcp_server -clients num [lease_time<br />
num [hours|days]]]<br />
This allows you to active the DHCP server service<br />
on this interface, and specify information for it,<br />
including the number of clients allowed DHCP<br />
access, and the leasing time for a DHCP address.<br />
The lease time default is 7 days.<br />
84 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
Put “no” in front of this command to turn off the<br />
DHCP server on this interface.<br />
[dhcp_relay ]<br />
This allows you to use a separate DHCP server on<br />
your network to serve DHCP addresses, with the<br />
Vclass acting as a DHCP agent.<br />
Example<br />
WG(config-if)#interface 0 10.12.12.7<br />
255.255.255.0 \<br />
-mtu 1500 -100_half_duplex no<br />
dhcp_server<br />
or<br />
WG(config-if)#interface 0 10.12.12.7/24 -mtu<br />
1500 \<br />
-100_half_duplex no dhcp_server<br />
or<br />
WG(config-if)#interface 0 10.12.12.7/24 -mtu<br />
1500 \<br />
-100_half_duplex dhcp_relay<br />
10.0.0.253<br />
private command (configure interface level, V10<br />
only)<br />
WG#config<br />
WG(config)#interface<br />
WG(config-if)#private <br />
[no] dhcp_server -clients NUMBER [lease_time<br />
NUMBER]<br />
Effect<br />
Use this command to configure DHCP server<br />
options assigned to a <strong>WatchGuard</strong> V10 appliance's<br />
Private (0) interface.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 85
CHAPTER 3: Configuration Mode Commands<br />
Arguments<br />
<br />
This argument records the IP address assigned to<br />
this interface.<br />
<br />
This argument records the number of bits in the<br />
subnet mask, or the subnet mask.<br />
dhcp_server<br />
Enter this argument to activate DHCP server<br />
service on this appliance.<br />
-clients NUMBER<br />
This argument indicates the number of clients<br />
permitted DHCP access.<br />
-lease_time NUMBER<br />
This argument indicates the lease time for all client<br />
connections, and any limitations, recorded as<br />
minutes.<br />
[no] dhcp_server<br />
Enter this argument to disable any previously<br />
active DHCP service.<br />
Example<br />
WG(config-if)#private 192.168.1.1 255.255.255.0<br />
dhcp_server \<br />
-clients 3 -lease_time 60<br />
interface 1 command (configure interface level)<br />
WG#config<br />
WG(config)#interface<br />
WG(config-if)# interface 1 [ |<br />
[-mtu num] |<br />
[-100_full_duplex | -100_half_duplex|<br />
-10_full_duplex|-10_half_duplex | -auto]] |<br />
[dhcp [host_id]] |<br />
[pppoe -user "name" -password "password"<br />
[ ]]<br />
[-unnumbered_pppoe |disable]]<br />
[backup [ip mask gateway ]|<br />
[dhcp [host_id] ] |<br />
[pppoe -user "name" -password "password"]<br />
86 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
[-unnumbered_pppoe |disable]] |<br />
[disable] |<br />
[switch_to_backup] |<br />
[tracking -remove|-add <br />
-interval <br />
-timeout <br />
-pause_before_failback ] ]<br />
#num is either auto reconnect delay in seconds.<br />
#or if dial_on_demand, the idle timeout in minutes.<br />
#ex: inter 1 pppoe -use u1 -pas xxxxx -dial 20<br />
#backup PPPoE connection only supports ALWAYS_ON.<br />
Effect<br />
Use this command to configure the network<br />
identity of a <strong>WatchGuard</strong> appliance’s interface 1<br />
(Public), if it is a publicly routable, fixed IP address.<br />
Arguments<br />
<br />
This argument records the IP address assigned to<br />
this interface.<br />
<br />
This argument records the number of bits in the<br />
subnet mask (for example, “/16” is equivalent to<br />
the address 255.255.0.0), or the actual subnet mask<br />
address.<br />
[-mtu num]<br />
This allows you to set the size of the Maximum<br />
Transmission Unit (MTU). The default is 1500<br />
bytes.<br />
[-100_full_duplex | -100_half_duplex|<br />
-10_full_duplex|-10_half_duplex | -<br />
auto]] |<br />
This setting allows you to specify the speed at<br />
which the interface will operate.<br />
[dhcp ["host_id"]] |<br />
This allows you to obtain the IP address of<br />
interface 1 using DHCP.<br />
[pppoe -user "name" -password<br />
"password"]<br />
This allows you to set Interface 1 to PPPoE. If the<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 87
CHAPTER 3: Configuration Mode Commands<br />
password contains the pound (#) character, it<br />
needs to be placed in double quotes.<br />
[ <br />
This allows you to set PPPoE to Dial-on-Demand or<br />
Always On mode. The function of following<br />
this option differs in each mode. For Dial-on-<br />
Demand mode, this number indicates the inactivity<br />
timeout interval in minutes (default is 20 minutes).<br />
For Always On mode, this number indicates the<br />
auto-reconnect interval in seconds (default is 60<br />
seconds).<br />
[-unnumbered_pppoe |disable]]<br />
This option allows you to use unnumbered PPPoE.<br />
For more information on unnumbered links, see<br />
RFC 1812 section 2.2.7.<br />
[backup [ip mask <br />
gateway ] | [dhcp [host_id] ]<br />
| [pppoe -user "name" -password<br />
"password"]<br />
[unnumbered_pppoe |disable]<br />
[disable]<br />
[switch_to_backup]<br />
This allows you to enable a Backup WAN<br />
connection for Interface 1, for systems that have<br />
unreliable ISPs or network providers. You can<br />
configure the failover connection as static, by<br />
typing the IP address, netmask, and gateway. You<br />
can configure the failover connection as DHCP<br />
using the [dhcp ["host_id"]] syntax. You can<br />
configure the interface as PPPoE (always on) using<br />
the [pppoe -user "name" -password<br />
"password"] syntax. You can configure the<br />
backup WAN connection as unnumbered PPPoE<br />
using the syntax [unnumbered_pppoe<br />
|disable].<br />
You can disable the backup connection by using the<br />
option [disable].<br />
88 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
You can switch to the backup connection using the<br />
command switch_to_backup.<br />
[tracking -remove|-add <br />
-interval <br />
-timeout <br />
-pause_before_failback<br />
] ]<br />
For systems that configure a Backup WAN<br />
connection using the failover command, these<br />
settings must be specified. You can add up to three<br />
IP addresses that are used to determine WAN<br />
failure. These addresses are used with the<br />
-interval and -timeout values to determine<br />
when the WAN connection has failed.<br />
-interval determines the amount of time that<br />
elapses between attempts to ping all three specified<br />
tracking addresses. -timeout determines the<br />
amount of time that can elapse before a ping<br />
attempt is considered failed. All three specified IP<br />
addresses must fail to respond to the ping attempt<br />
within the specified time to consider the WAN<br />
connection failed.<br />
In the event of failure, the WAN is switched over to<br />
the backup connection. This causes a brief<br />
interruption in processing while the system<br />
restarts. In order to prevent frequent restarts, the<br />
final parameter, -pause_before_failback, is<br />
provided. This allows you to specify the amount of<br />
time that must elapse between failovers.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 89
CHAPTER 3: Configuration Mode Commands<br />
Example<br />
WG(config-if)#interface 1 10.10.12.8\<br />
255.255.0.0 -mtu 1500\<br />
-10_full_duplex<br />
or<br />
WG(config-if)#interface 1 10.10.12.8/16<br />
-mtu 1500 -10_full_duplex <br />
Example (PPPoE)<br />
WG(config-if)#interface 1 pppoe\<br />
-user joeuser -password joepass\<br />
-always_on 60<br />
Example (DHCP)<br />
WG(config-if)#interface 1 dhcp dhcpsrvr<br />
Example (Backup Connection)<br />
WG(config-if)#interface 1 10.10.12.8<br />
255.255.0.0 -mtu auto\<br />
-backup ip 10.10.24.16 mask 255.255.0.0\<br />
gateway 10.100.99.1 tracking -add<br />
124.12.15.16<br />
interface 2 (DMZ) command (configure interface<br />
level)<br />
WG#config<br />
WG(config)#interface<br />
WG(config-if)#interface 2 <br />
[-mtu num]<br />
[-100_full_duplex | -<br />
100_half_duplex|<br />
-10_full_duplex|-<br />
10_half_duplex | -auto]<br />
Effect<br />
Use this command to configure the network<br />
identity of a <strong>WatchGuard</strong> appliance's interface 2<br />
(DMZ), where applicable.<br />
90 <strong>WatchGuard</strong> Vclass 5.1
Arguments<br />
<br />
Second level configuration mode commands<br />
This argument records the IP address assigned to<br />
this interface.<br />
<br />
This argument records the number of bits in the<br />
subnet mask (for example, “/16” is equivalent to<br />
the address 255.255.0.0), or the actual subnet mask<br />
address.<br />
-mtu num<br />
This allows you to set the size of the Maximum<br />
Transmission Unit (MTU). The default is 1500<br />
bytes.<br />
[-100_full_duplex | -100_half_duplex|<br />
-10_full_duplex|-10_half_duplex | -<br />
auto]] |<br />
This setting allows you to specify the speed at<br />
which the interface will operate.<br />
Example<br />
WG(config-if)#interface 2 10.12.12.9<br />
255.255.255.0 \<br />
-mtu 1500 -10_full_duplex<br />
or<br />
WG(config-if)#interface 2 10.12.12.9/24 -mtu<br />
1500 \<br />
-10_full_duplex<br />
interface 3 (DMZ2) command (configure interface<br />
level, V60 and V80 only)<br />
WG#config<br />
WG(config)#interface<br />
WG(config-if)#interface 3 <br />
[-mtu num]<br />
[-100_full_duplex | -<br />
100_half_duplex|<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 91
CHAPTER 3: Configuration Mode Commands<br />
-10_full_duplex|-<br />
10_half_duplex | -auto]<br />
Effect<br />
Use this command to configure the network<br />
identity of a <strong>WatchGuard</strong> appliance's interface 3,<br />
where applicable.<br />
Arguments<br />
<br />
This argument records the IP address assigned to<br />
this interface.<br />
<br />
This argument records the number of bits in the<br />
subnet mask (for example, “/16” is equivalent to<br />
the address 255.255.0.0), or the actual subnet mask<br />
address.<br />
-mtu num<br />
This allows you to set the size of the Maximum<br />
Transmission Unit (MTU). The default is 1500<br />
bytes.<br />
[-100_full_duplex | -100_half_duplex|<br />
-10_full_duplex|-10_half_duplex | -<br />
auto]] |<br />
This setting allows you to specify the speed at<br />
which the interface will operate.<br />
Example<br />
WG(config-if)#interface 3 10.12.12.9<br />
255.255.255.0 \<br />
-mtu 1500 -auto<br />
or<br />
WG(config-if)#interface 3 10.12.12.9/24 -mtu<br />
1500 \<br />
-auto<br />
92 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
ha1 command (configure interface level)<br />
WG#config<br />
WG(config)#interface<br />
WG(config-if)#ha1 <br />
Effect<br />
Use this command to configure the network<br />
identity of a <strong>WatchGuard</strong> appliance's High<br />
Availability 1 interface, when this interface is used<br />
for management access instead of H-A<br />
functionality.<br />
Arguments<br />
<br />
This argument records the IP address assigned to<br />
this interface.<br />
<br />
This argument records the number of bits in the<br />
subnet mask, or the subnet mask.<br />
Example<br />
WG(config-if)#ha1 10.0.0.1<br />
255.255.255.0<br />
or<br />
WG(config-if)#ha1 10.0.0.1/24<br />
ha2 command (configure interface level)<br />
WG#config<br />
WG(config)#interface<br />
WG(config-if)#ha2 <br />
Effect<br />
Use this command to configure the network<br />
identity of a <strong>WatchGuard</strong> appliance's High<br />
Availability 2 interface, when this interface is used<br />
for management access instead of H-A<br />
functionality.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 93
CHAPTER 3: Configuration Mode Commands<br />
Arguments<br />
<br />
This argument records the IP address assigned to<br />
this interface.<br />
<br />
This argument records the number of bits in the<br />
subnet mask, or the subnet mask.<br />
Example<br />
WG(config-if)#ha2 10.0.0.1<br />
255.255.255.0<br />
or<br />
WG(config-if)#ha2 10.0.0.1/24<br />
mode command<br />
WG(config-if)# mode router |<br />
transparent<br />
Effect<br />
Use to switch the appliance between Router mode<br />
and Transparent mode.<br />
An appliance can only be switched from Router<br />
mode (default) to Transparent mode when the<br />
appliance is in the factory default configuration<br />
state. You are prompted to restore the system to the<br />
factory default state when you attempt this switch.<br />
An appliance can be switched from Transparent<br />
mode to Router mode in any configuration<br />
condition.<br />
A restart is required in order to for mode switching<br />
take effect.<br />
Arguments<br />
None<br />
Example<br />
WG(config-if)# mode router<br />
94 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
Apply interface address changes to appliance<br />
WG#config<br />
WG(config)#interface<br />
WG(config-if)#exit<br />
Effect<br />
Use this command to immediately apply any<br />
interface address changes to this appliance. The<br />
appliance will update you with status messages (as<br />
shown below) to inform you about the process.<br />
Arguments<br />
None<br />
Example<br />
WG(config-if)# exit<br />
Commit (Y/N)?y<br />
Results<br />
…<br />
interface 1 IP address is set to<br />
16.10.203.121,<br />
please wait for it to take effect…<br />
WG(config)#<br />
Level 2 IPSec configuration commands<br />
action command (configure IPSec level)<br />
WG#config<br />
WG(config)#ipsec <br />
WG(config-ipsec)#action \<br />
< -tunnel_mode | -<br />
transport_mode> \<br />
-auto_key [no] pfs_group …<br />
\<br />
-manual_key \<br />
-esp \<br />
<br />
\<br />
-ah \<br />
<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 95
CHAPTER 3: Configuration Mode Commands<br />
Effect<br />
Records a new IPSec action (manual key or<br />
automatic key), including one or more proposals<br />
which have been created beforehand.<br />
Arguments<br />
<br />
Type a unique name for this action.<br />
<br />
This argument determines whether this action is<br />
tunnel mode or transport mode.<br />
<br />
If you enter tunnel mode, you must then qualify it<br />
with one of the following: (1) enter "*" to indicate<br />
ANY source, (2) enter a specific peer appliance’s IP<br />
address, or (3) enter the name of an address group<br />
containing the peer IP address.<br />
-auto_key<br />
Enter this argument if this action utilizes an<br />
automatic key. Do not use the “manual–key” if<br />
using an automatic key.<br />
The following two arguments further qualify this<br />
automatic key exchange.<br />
[no] pfs_group <br />
If this action uses an automatic key, use this<br />
argument to specify which perfect forward security<br />
option (Diffie-Hellman Group 1 or 2) will be used.<br />
If none is used, you can preface this argument with<br />
“no”.<br />
[…]<br />
If this action uses an automatic key, use this<br />
argument to enter the IKE proposal names<br />
(whether one or more.)<br />
-manual_key<br />
Enter this argument if this action employs a<br />
manual key. (If doing so, do not use the “auto_key”<br />
argument.) The following ten arguments (grouped<br />
96 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
around ESP and AH algorithms) qualify this<br />
manual key exchange.<br />
-esp<br />
Enter this argument if this action employs an ESP<br />
protocol for the manual key.<br />
<br />
Use this argument to enter a unique number that<br />
represents the SPI of this appliance. The number<br />
should be between 256 and 65535.<br />
<br />
Use this argument to enter a different, unique<br />
number that represents the SPI of the peer security<br />
appliance. The number should be between 256 and<br />
65535.<br />
<br />
Use this argument to pick either DES or 3DES<br />
encryption algorithms.<br />
<br />
This argument will contain the actual manual key<br />
text, noted in ASCII or hexadecimal notation.<br />
-ah<br />
Enter this argument if this action employs an AH<br />
protocol for the manual key.<br />
<br />
Use this argument to enter a unique number that<br />
represents the SPI of this appliance. The number<br />
should be between 256 and 65535.<br />
<br />
Use this argument to enter a different, unique<br />
number that represents the SPI of the peer security<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 97
CHAPTER 3: Configuration Mode Commands<br />
appliance. The number should be between 256 and<br />
65535.<br />
<br />
Use this argument to pick either MD5 or SHA<br />
encryption algorithms.<br />
<br />
This argument will contain the actual manual key<br />
text, noted in ASCII or hexadecimal notation.<br />
Example<br />
WG(config-ipsec)# action NY_IPSec -<br />
tunnel \<br />
NY_Gateway -auto no pfs_group<br />
MAX_SECURITY \<br />
ESP-3DES<br />
# This command creates an auto-key IPSec action with<br />
peer tunnel. The IP is NY_Gateway, no PFS, the first<br />
proposal is MAX_SECURITY and the second is<br />
ESP_3DES.<br />
WG(config-ipsec)# action<br />
remote_user_ipsec \<br />
-tunnel * -auto pfs_group 1 ESP-3DES-MD5<br />
\<br />
ESP-DES-MD5<br />
# This command creates a tunnel mode, auto-key IPSec<br />
action for remote users. The peer tunnel IP is *<br />
(ANY),PFS uses DH group 1, and there are two<br />
proposals: ESP-3DES-MD5 and ESP-DES-MD5.<br />
WG(config-ipsec)# action SJ_Man -tunnel<br />
\<br />
102.39.45.28 -man -esp 256 982 3des<br />
mankey<br />
# This command results in a tunnel-mode, manual-key<br />
IPSec action with a peer tunnel IP address of<br />
102.39.45.28. It uses ESP-3DES (local SPI is 256, peer<br />
SPI is 982) and the key text is “mankey”.<br />
98 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
proposal command (configure IPSec level)<br />
WG#config<br />
WG(config)#ipsec <br />
WG(config-ipsec)#proposal [+] \<br />
[-antireplay_window [0|32|64]] \<br />
-esp {} \<br />
-ah {}…<br />
Effect<br />
Creates or modifies an IPSec proposal that can then<br />
be incorporated into IPSec actions (which can then<br />
be added to security policies.)<br />
Arguments<br />
<br />
This argument notes the name assigned to this new<br />
proposal.<br />
-antireplay_window <br />
This argument (and the required value) sets the<br />
anti-replay window size.<br />
-esp { [md5|sha] }<br />
If you want to include an ESP transform in this<br />
proposal, type this argument, plus the necessary<br />
values–algorithm, life size, life time.<br />
-ah { }<br />
If you want to include an AH transform in this<br />
proposal, type this argument, plus the necessary<br />
values–algorithm, life size, life time.<br />
+<br />
Type this character before entering a new<br />
transform that will be added to an existing IPSec<br />
proposal.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 99
CHAPTER 3: Configuration Mode Commands<br />
Examples<br />
WG(config-ipsec)#proposal "new_prop1" -<br />
antireplay \<br />
32 -esp {3des md5 10hrs} {des md5 5hr<br />
10MB -ah \<br />
{sha 34min 100MB}<br />
# This example shows the creation of a<br />
new proposal.<br />
WG(config-ipsec)# prop my_proposal + -ah<br />
\<br />
{ sha 8hr }<br />
# This example shows the addition of a new AH<br />
transform to an existing proposal.<br />
Level 2 Quality of Service (QoS)<br />
configuration commands<br />
action command (configure Quality of Service level)<br />
WG#config<br />
WG(config)#qos <br />
WG(config-qos)#action -<br />
bandwidth_weight \<br />
<br />
Effect<br />
Records a new QoS action or modifies an existing<br />
action.<br />
Arguments<br />
<br />
This argument, immediately following the<br />
command, notes the name assigned to this new<br />
QoS action.<br />
-bandwidth_weight <br />
This argument (and the required value) determine<br />
the level of QoS based on the WFQ algorithm.<br />
100 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
Examples<br />
WG(config-qos)#action high_QoS -<br />
bandwidth 25<br />
WG(config-qos)#action mid_QoS -<br />
bandwidth 5<br />
Enable or disable port shaping for interface 0 or 1<br />
WG#config<br />
WG(config)#qos <br />
WG(config-qos)#system [ \<br />
] [enable|disable]<br />
Effect<br />
Enables (or disables) port shaping for either the<br />
interface 0 (private) or interface 1 (public) of a<br />
<strong>WatchGuard</strong> appliance, and enters the general QoS<br />
value for that interface. The value entered will be<br />
the sending throughput of that interface. To enable<br />
a system port-shaping action, the appliance will<br />
automatically restart in order to apply the policy.<br />
Arguments<br />
<br />
Use this argument to enter one of these interfaces.<br />
<br />
Use this argument to enter one option – Kbps or<br />
Mbps – plus the appropriate number value.<br />
<br />
Use this argument to enter one of these options.<br />
Example<br />
WG(config-qos)#system interface 1 10Mbps<br />
enable<br />
# This example shows a policy that restricts outputthroughput<br />
of the Public interface to 10 megabits per<br />
second.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 101
CHAPTER 3: Configuration Mode Commands<br />
Level 2 Remote Access Service (RAS)<br />
configuration commands<br />
group_profile command (configure RAS level)<br />
WG#config<br />
WG(config)#ras<br />
WG(config-ras)#group_profile \<br />
[no][-address_pool ] \<br />
[-dns ] [-session_time_out<br />
] \<br />
[-idle_time_out ] \<br />
[-concurrent_logins_per_user ]<br />
Effect<br />
Creates a new RAS group profile (or modifies an<br />
existing profile) that controls the connection<br />
parameters of all associated remote access user<br />
accounts.<br />
Arguments<br />
<br />
This argument records a name for this group<br />
profile, which will be used when creating<br />
individual user profile accounts.<br />
[no] [-address_pool ]<br />
This argument specifies the name of an address<br />
group containing a pool of internal IP addresses<br />
assigned to remote access connections.<br />
[-dns ]<br />
This argument assigns a DNS IP address to the<br />
remote users belong to this group.<br />
[-session_time_out ]<br />
This argument limits the total time any one account<br />
user can continuously log into the network. The<br />
default time limit is 8 (hours).<br />
[-idle_time_out ]<br />
This argument sets the time limit for an inactive<br />
102 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
connection before it is automatically broken. The<br />
default is 15 (minutes.)<br />
[-concurrent_logins_per_user ]<br />
This argument specifies the number of concurrent<br />
connections a user can establish. The default is 1.<br />
Example<br />
WG(config-ras)#group consultants –<br />
address sjnet10 \<br />
-dns 134.12.33.2 -session 2 hr -idle 5<br />
min –con 1<br />
user_profile command (configure RAS level)<br />
WG#config<br />
WG(config)#ras<br />
WG(config-ras)#user_profile \<br />
[enable|disable] \<br />
[-password "password"] \<br />
[-full_name ] \<br />
[-group_profile "profile_name"] \<br />
[-pw_expiry ] \<br />
[-account_expiry ] \<br />
[-concurrent_logins ]<br />
Effect<br />
Enters a new remote access user account (or<br />
modifies an existing account) in an internal<br />
database in the <strong>WatchGuard</strong> appliance.<br />
Arguments<br />
<br />
This argument records the login ID used by this<br />
remote user account, and should be between 1-15<br />
characters in length.<br />
<br />
This argument activates (or deactivates) this<br />
account. The default state is “enable”.<br />
<br />
This argument records the initial password first<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 103
CHAPTER 3: Configuration Mode Commands<br />
used by this account, and should be between 6 and<br />
8 characters in length.<br />
[-full_name ]<br />
This argument notes the full name of the user, up to<br />
15 characters in length.<br />
[-group_profile “profile_name”]<br />
This argument specifies which user group profile<br />
affects this user account. The default choice is<br />
“default setting”.<br />
[-pw_expiry ]<br />
This argument sets the number of days until the<br />
user’s password expires. The default is 90 days.<br />
[-account_expiry ]<br />
This argument sets the number of days until this<br />
account expires. The default lifetime is 180 days.<br />
[-concurrent_logins ]<br />
This argument limits the number of concurrent<br />
connections this account user can establish. The<br />
default is 1.<br />
Example<br />
WG(config-ras)#user enable jdoe \<br />
-password jdsecret -full "John Doe" \<br />
-group admGroup -pw_expiry 60 -account<br />
60 \<br />
-concurrent 1<br />
Results<br />
To review and confirm your entries, type this<br />
command:<br />
WG(config-ras)#show user jdoe<br />
The results are displayed, similar to this example:<br />
User Profile|<br />
Name = jdoe<br />
Full Name = "John Doe"<br />
Enabled<br />
Description = ""<br />
User Group Profile = admGroup<br />
104 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
Password Expiresat Sat May 19 15:40:40 2001<br />
Password Epiry = 60 Days<br />
Account Expiresat Sat May 19 15:40:40 2001<br />
Account Epiry = 60 Days<br />
Concurrent Logins = 1<br />
database command (configure RAS level)<br />
WG#config<br />
WG(config)#ras<br />
WG(config-ras)#database <br />
Effect<br />
Establishes whether the authentication database is<br />
stored on the RADIUS server or in this<br />
<strong>WatchGuard</strong> Firebox Vclass security appliance,<br />
then notes the parameters of this database.<br />
Arguments<br />
-internal<br />
This argument specifies the use of an internal<br />
database within the <strong>WatchGuard</strong> appliance, for<br />
RAS user authentication.<br />
-radius<br />
This argument specifies the use of a RADIUS<br />
server as the host for a RAS user authentication<br />
database.<br />
If you “-radius”, enter the following<br />
arguments:<br />
<br />
This argument specifies whether the primary or<br />
backup RADIUS server is currently being<br />
configured. You’ll need to enter this command two<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 105
CHAPTER 3: Configuration Mode Commands<br />
times, to configure a primary and a backup server<br />
connection.<br />
If you want to delete the configuration entries for a<br />
backup RADIUS server, enter the “no backup”<br />
argument.<br />
-ip <br />
This argument establishes the IP address of the<br />
RADIUS server that will be used.<br />
-secret <br />
This argument records the secret password<br />
allowing this appliance to contact the database in<br />
the RADIUS server.<br />
[-authentication ]<br />
This argument establishes which authentication is<br />
being used; PAP or SecurID.<br />
[-port ]<br />
This optional argument records the RADIUS server<br />
port number, if needed.<br />
[-user_group ]<br />
This optional argument specifies the name of a user<br />
group profile used by RADIUS users. Be sure to<br />
use the “user_group_profile” command to control<br />
session time and idle timeout for RADIUS users.<br />
Examples<br />
WG(config-ras)#database -radius primary<br />
\<br />
-ip 12.10.1.2 -sec confidential \<br />
-auth secure_id -user_group<br />
exec_staff<br />
WG(config-ras)#database -<br />
internal<br />
WG(config-ras)#database -radius backup<br />
\<br />
-ip 12.10.1.3 \<br />
-sec confidential<br />
106 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
Level 2 System Configuration commands<br />
Command For more information, see<br />
dns “dns command (configure system level)” on<br />
page 108<br />
cpm “cpm command (configure system level)” on<br />
page 108<br />
fwuser “fwuser command (configure system level)”<br />
on page 109<br />
icmp_error_handling “icmp_error_handling command (configure<br />
system level)” on page 110<br />
interface “interface command (configure system level)”<br />
on page 110<br />
ldap “ldap command (configure system level)” on<br />
page 110<br />
log “log command (configure system level)” on<br />
page 111<br />
mss_adjustment “mss_adjustment” on page 112<br />
ntp “ntp command (configure system level)” on<br />
page 113<br />
route “route command (configure system level)” on<br />
page 113<br />
snmp “snmp command (configure system level)” on<br />
page 114<br />
sysinfo “sysinfo command (configure system level)”<br />
on page 115<br />
tcp_sync_checking “tcp_syn_checking” on page 116<br />
vlan_forwarding “vlan_forwarding command (configure system<br />
level)” on page 116<br />
vpn “vpn command (configure system level)” on<br />
page 117<br />
no “No command” on page 143<br />
show “Show command” on page 144<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 107
CHAPTER 3: Configuration Mode Commands<br />
Command For more information, see<br />
history “history command” on page 14<br />
rename “Rename command” on page 143<br />
exit “exit command” on page 14<br />
top “top command” on page 15<br />
dns command (configure system level)<br />
WG#config<br />
WG(config)#system<br />
WG(config-sys)# [no] dns \<br />
-server [a.b.c.d]<br />
Effect<br />
Records the domain names and IP addresses of all<br />
relevant domain name servers.<br />
Argument<br />
no<br />
This argument (when entered before the ldap<br />
command prompt) deactivates this LDAP<br />
connection.<br />
<br />
This argument records the domain name of this<br />
security appliance.<br />
<br />
This argument records the IP address of the DNS<br />
server.<br />
Example<br />
WG(config)#dns my_company.com \<br />
-server 24.12.2.1<br />
cpm command (configure system level)<br />
WG#config<br />
WG(config)#cpm <br />
108 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
Effect<br />
Enables this appliance to be managed by means of<br />
the <strong>WatchGuard</strong> Centralized Policy Manager<br />
(CPM). You can also use this command to disable<br />
CPM as needed. If enabling CPM access, be sure to<br />
enter the CPM-access password immediately<br />
following the “enable” argument.<br />
Arguments<br />
enable<br />
Enter this argument to activate <strong>WatchGuard</strong> CPM<br />
access to this <strong>WatchGuard</strong> appliance.<br />
<br />
Enter the text of the CPM access password after<br />
“enable”.<br />
disable<br />
Enter this argument if you have already<br />
established CPM access and want to disable the<br />
connection.<br />
Example<br />
WG(config)#cpm enable<br />
cpm_admit_1<br />
fwuser command (configure system level)<br />
WG#config<br />
WG(config)#system <br />
WG(config-sys)#fwuser -t<br />
[seconds|minutes]<br />
Effect<br />
Allows you to change the value for a firewall user<br />
connection idle timeout. The system default is two<br />
hours, and the default increment is "seconds".<br />
Argument<br />
-t [seconds|minutes]<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 109
CHAPTER 3: Configuration Mode Commands<br />
icmp_error_handling command (configure system<br />
level)<br />
WG#config<br />
WG(config)#system <br />
WG(config-sys)#icmp_error_handling [all]|<br />
[[no] fragmentation_required]<br />
[[no] host_unreachable]<br />
[[no] time_exceeded]<br />
[[no] port_unreachable]<br />
[[no] network_unreachable]<br />
Effect<br />
Allows you to turn on ICMP error handling for all<br />
events, or just for the events you specify.<br />
interface command (configure system level)<br />
WG#config<br />
WG(config)#interface<br />
Effect<br />
Enters the interface configuration mode, at which<br />
point you can enter interface-specific commands<br />
and their arguments.<br />
Arguments<br />
None in this mode.<br />
See Also<br />
For more information on interface configuration<br />
mode, see “Level 2 interface configuration<br />
commands” on page 82.<br />
ldap command (configure system level)<br />
WG#config<br />
WG(config)#system <br />
WG(config-sys)#[no] ldap<br />
\<br />
[port_number]<br />
110 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
Effect<br />
Activates (or deactivates) a network connection to<br />
an LDAP server that this security appliance would<br />
use to look up certificate revocation lists during<br />
IKE key negotiations.<br />
Arguments<br />
no<br />
This argument (when entered before the ldap<br />
command prompt) deactivates this LDAP<br />
connection.<br />
[port-number]<br />
This argument notes the pertinent IP address and<br />
LDAP server port number. You can enter either an<br />
IP address or a domain name, and, if the LDAP<br />
server port number is other than “389”, you must<br />
enter it.<br />
To enter a host name, you must first record the<br />
DNS server connection, as noted elsewhere in this<br />
<strong>Guide</strong>.<br />
Example<br />
WG(config-sys)#ldap 207.124.35.3<br />
189<br />
log command (configure system level)<br />
WG#config<br />
WG(config)#system <br />
WG(config-sys)#log<br />
Effect<br />
Enters the log configuration mode, at which point<br />
you can enter log file-specific commands and their<br />
arguments.<br />
Arguments<br />
None in this mode. For more information about<br />
“log” mode commands, see “Level 3 log<br />
configuration commands” on page 124.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 111
CHAPTER 3: Configuration Mode Commands<br />
mss_adjustment<br />
WG#config<br />
WG(config)#system <br />
WG(config-system)#mss_adjustment<br />
mss_adjustment [auto| limit_to | disable]<br />
## limit_to range - 40-1460 bytes<br />
Effect<br />
Sets the TCP Maximum Segment Size for the<br />
system. This feature works in conjunction with the<br />
MTU settings to limit the size of packets, if<br />
configured. This feature overcomes the following<br />
problems:<br />
- Oversized packets can result in fragmentation,<br />
degrading VPN performance.<br />
- Proxies may require MSS adjustment to prevent<br />
fragmentation.<br />
- Some older systems do not support MTU to<br />
regulate packet size. This feature works along<br />
with MTU; it does not replace MTU.<br />
Arguments<br />
auto<br />
Auto adjustment calculates the MSS automatically,<br />
using the following calculations:<br />
Determines the lesser value of the input port MTU<br />
and the output port MTU. Subtracts packet<br />
overhead, including IP and TCP addressing,<br />
VLAN, ESP, PPPoE, AH, and UDP encapsulation.<br />
The result is then rounded down to the next lower<br />
multiple of 8 bits (8-bit aligned) to determine the<br />
size in bytes that is required for packet<br />
112 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
transmission. The results of this calculation are<br />
used as the MSS for the connection.<br />
limit_to<br />
This limits MSS to the specified size in bytes. You<br />
can specify a value between 40—1640 bytes.<br />
disable<br />
This specifies that no change be made to the TCP<br />
header. If you select this option, packets may<br />
fragment.<br />
Example<br />
WG#config<br />
WG(config)#system <br />
WG(config-system)#mss_adjustment limit_to 1400<br />
ntp command (configure system level)<br />
WG#config<br />
WG(config)#system <br />
WG(config-sys)#ntp<br />
Effect<br />
Discuss effects<br />
Arguments<br />
Describe arguments.<br />
route command (configure system level)<br />
WG#config<br />
WG(config)#system <br />
WG(config-sys)#route<br />
Effect<br />
Enters the system route configuration mode, at<br />
which point you can enter route-specific<br />
commands and their arguments.<br />
Arguments<br />
None in this mode.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 113
CHAPTER 3: Configuration Mode Commands<br />
See Also<br />
For more information about route mode<br />
commands, see “Level 3 route configuration<br />
commands” on page 122.<br />
snmp command (configure system level)<br />
WG#config<br />
WG(config)#system <br />
WG(config-sys)#snmp [a.b.c.d] \<br />
[-community][-trap|-no_trap]<br />
Effect<br />
Records network connection data for all relevant<br />
SNMP management workstations that will receive<br />
traps generated by this security appliance.<br />
Arguments<br />
no<br />
This argument, if entered before the “snmp”<br />
command prompt, removes/deactivates all<br />
recorded SNMP stations.<br />
<br />
This argument records the IP address for a specific<br />
SNMP workstation.<br />
-community<br />
This argument records the community string.<br />
[-trap|-no-trap]<br />
This optional argument activates (or deactivates)<br />
the SNMP trap settings.<br />
Example<br />
WG(config-sys)#snmp 128.13.44.2 \<br />
-community 66gHf4D -trap<br />
Results<br />
To view the results, type this command:<br />
WG(config-sys)#show snmp<br />
114 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
sysinfo command (configure system level)<br />
WG#config<br />
WG(config)#system <br />
WG(config-system)#sysinfo <br />
Effect<br />
Applies new system information to an existing<br />
security appliance, including appliance name,<br />
contact name and actual location of the appliance.<br />
Arguments<br />
-name <br />
Use this argument to record the DNS name of this<br />
security appliance – without the rest of the DNS<br />
entry.<br />
-location <br />
Use this argument to record the geographic<br />
location of this appliance.<br />
-contact <br />
Use this argument to record the name of the<br />
administrator.<br />
-time <br />
Use this argument to set the system<br />
time.<br />
-date <br />
Use this argument to set the system date.<br />
Example<br />
WG(config-sys)#sysinfo -name mucho \<br />
-loc "Lot 49" \<br />
-contact "O. Maas"<br />
-time 14:42:05<br />
-date 10:15:02<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 115
CHAPTER 3: Configuration Mode Commands<br />
To review and confirm your entries, type this<br />
command:<br />
WG(config-sys)#show sysinfo<br />
The complete results will appear as suggested here<br />
(in eight lines):<br />
tcp_syn_checking<br />
System name=mucho<br />
System contact=O. Maas<br />
System location=Lot 49<br />
Version=4.0<br />
SerialNum=<br />
WG#config<br />
WG(config)#system <br />
WG(config-system)#tcp_syn_checking<br />
<br />
Effect<br />
This enables or disables TCP SYN checking.<br />
vlan_forwarding command (configure system level)<br />
WG#config<br />
WG(config)#system <br />
WG(config-sys)#vlan_forwarding<br />
[enable|disable]<br />
Effect<br />
Allows you to enable (or disable) the system-wide<br />
VLAN forwarding capability.<br />
Argument<br />
enable<br />
Turns on VLAN forwarding.<br />
disable<br />
Turns off VLAN forwarding (if it is active).<br />
116 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
vpn command (configure system level)<br />
WG#config<br />
WG(config)#system <br />
WG(config-system)#vpn [[no]<br />
ignore_DF_for_IPSec] [[no]<br />
IPSec_pass_through]<br />
Effect<br />
This allows you to set options for VPN.<br />
Arguments<br />
[no] ignore_DF_for_IPSec<br />
This enables fragments of large packets through<br />
the VPN tunnel. If you set this feature, the<br />
appliance ignores the don't fragment (DF) rule.<br />
[no] IPSec_pass_through<br />
This allows IPSec pass-through.<br />
Level 2 license commands (for upgraded or<br />
additional features)<br />
Import command (config license level)<br />
WG#config<br />
WG(config)#license <br />
WG(config-license)#import<br />
Effect<br />
Imports a new license that upgrades or adds<br />
functionality to the appliance.<br />
Arguments<br />
None<br />
active_feature command (config license level)<br />
WG#config<br />
WG(config)#license<br />
WG(config-license)#active_feature <br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 117
CHAPTER 3: Configuration Mode Commands<br />
Effect<br />
Lists all currently active extra features (obtained<br />
through licensing).<br />
Arguments<br />
None<br />
delete command (config license level)<br />
WG#config<br />
WG(config)#license<br />
WG(config-license)#delete <br />
Effect<br />
Removes the named license from the appliance.<br />
Arguments<br />
<br />
This argument records the exact ID for a license to<br />
delete.<br />
Example<br />
None<br />
show command (config license level)<br />
WG#config<br />
WG(config)#license<br />
WG(config-license)#show <br />
Effect<br />
Displays a summary of the named license or lists<br />
all available licenses.<br />
Arguments<br />
None<br />
This will list all available licenses.<br />
<br />
This argument notes an ID for the license and will<br />
list the details of that license.<br />
118 <strong>WatchGuard</strong> Vclass 5.1
Second level configuration mode commands<br />
Example<br />
WG#config<br />
WG(config)#license<br />
WG(config-license)#show<br />
OrdLicense NameLicense IDExpiration<br />
Date<br />
1V80_3DES_HA_Bundle3293MXLD17-05-2022<br />
or<br />
WG#config<br />
WG(config)#license<br />
WG(config-license)#show 3293MXLD<br />
License Name:V80_3DES_HA_Bundle<br />
License ID:3293MXLD<br />
Feature(s):HA<br />
3DES<br />
UPGRADE<br />
Expiration Date:17-05-2022<br />
Level 2 tenant configuration commands<br />
vlan command (configure tenant level)<br />
WG#config<br />
WG(config)#tenant<br />
WG(config-tenant)#vlan<br />
[-interface ]<br />
[-ip a.b.c.d/e] [-gateway a.b.c.d]<br />
[-public <br />
# valid vlan -id range (1-4094)<br />
# -ip a.b.c.d/e if specified, the IP address/mask<br />
assigned for<br />
# interface 0|2|3 (default is 0) of tenant<br />
# e.g.> vlan v1 -id 3 -interface 0 -gate 10.1.0.1<br />
Effect<br />
Records a new VLAN tenant entry, along with the<br />
appliance interface that VLAN tenant traffic will be<br />
expected to use.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 119
CHAPTER 3: Configuration Mode Commands<br />
Arguments<br />
<br />
This argument records the name assigned to this<br />
VLAN tenant (for use in security policies.)<br />
<br />
This argument record the VLAN ID as "id"<br />
followed by the number (between 1 and 4096)<br />
assigned to this tenant.<br />
<br />
This argument specifies which interface (0, 2, or 3)<br />
this VLAN tenant is associated with.<br />
[-ip a.b.c.d/e]<br />
This argument records the IP address and subnet<br />
assigned to the 0 (private) or 2 (DBZ) interface, if<br />
one of those are specified.<br />
[-gateway a.b.c.d]<br />
This argument notes the gateway IP address for<br />
this tenant, if needed.<br />
-public
Second level configuration mode commands<br />
# valid user domain tenant -id must be from 5001 to<br />
65535<br />
# -idle_time_out m Idle timeout. m is the number in<br />
minutes<br />
# -radius_timeout sec Time out for radius request<br />
# -radius_retry n number of retries for radius query<br />
Effect<br />
Records a new VLAN-specific tenant entry, along<br />
with the appliance interface that VLAN tenant<br />
traffic will be expected to use.<br />
Arguments<br />
user_domain<br />
This argument identifies which type of tenant this<br />
entry represents.<br />
<br />
This argument records the name assigned to this<br />
VLAN tenant (for use in security policies.)<br />
<br />
This is "id" followed by the number (above 5000)<br />
assigned to this tenant.<br />
-public
CHAPTER 3: Configuration Mode Commands<br />
the Radius server, if another than the default port<br />
number is used.<br />
<br />
This argument indicates the Radius password and<br />
its text.<br />
[-backup_radius_ip a.b.c.d] \<br />
[backup_radius_port NUMBER]<br />
This pair of arguments allows you to note a backup<br />
Radius server and its port number, if present.<br />
Example<br />
WG(config-tenant)#user_domain<br />
\<br />
-interface 1 192.168.12.34 -id 6666 -<br />
idle 720 \<br />
-radius 12.12.3.144 \<br />
-radius_secret "no_admit"<br />
Level 3 configuration mode commands<br />
The following section, detailing all the third-level configuration<br />
commands, has been divided into “task” or “topical”<br />
collections, which include the following:<br />
• Route configuration this page<br />
• Log configuration page 124<br />
Level 3 route configuration commands<br />
Configure new static route<br />
WG#config<br />
WG(config)#system<br />
WG(config-sys)#route<br />
WG(config-route)#static \<br />
interface <br />
122 <strong>WatchGuard</strong> Vclass 5.1
Level 3 configuration mode commands<br />
Effect<br />
Configures a new static route utilized by traffic<br />
passing through this <strong>WatchGuard</strong> appliance.<br />
Arguments<br />
<br />
Use this argument to record the IP address of the<br />
destination subnet.<br />
<br />
Use this argument to record the number of bits in<br />
the subnet mask, or the destination subnet mask.<br />
<br />
Use this argument to record the IP address of the<br />
next gateway to the destination subnet.<br />
interface <br />
This argument specifies which interface in this<br />
security appliance is used for outgoing traffic using<br />
this route.<br />
delete<br />
Type this argument before typing the arguments<br />
for a route, to deactivate that particular route.<br />
Example<br />
WG(config-route)#static 0.0.0.0/0 \<br />
105.10.74.122 pub<br />
Configure dynamic routing<br />
WG#config<br />
WG(config)#system<br />
WG(config-sys)#route<br />
WG(config-route)# [no] dynamic<br />
[import|restart]<br />
Effect<br />
Configures dynamic routing in this <strong>WatchGuard</strong><br />
Firebox Vclass security appliance.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 123
CHAPTER 3: Configuration Mode Commands<br />
Arguments<br />
no<br />
Enter this argument to deactivate dynamic routing<br />
altogether.<br />
[import|restart]<br />
Use these options to import dynamic routing<br />
information, or to restart the system.<br />
Examples<br />
WG(config-route)#dynamic import<br />
WG(config-route)#dynamic restart<br />
Level 3 log configuration commands<br />
Activate or deactivate traffic log file<br />
WG#config<br />
WG(config)#system<br />
WG(config-sys)#log<br />
WG(config-log)#traffic<br />
Effect<br />
Use this command to activate (or deactivate) a<br />
traffic log file.<br />
Arguments<br />
no<br />
This argument, when entered before the type of log<br />
file, will deactivate that log.<br />
Examples<br />
WG(config-log)#no traffic<br />
Configure events log file<br />
WG#config<br />
WG(config)#system<br />
WG(config-sys)#log<br />
WG(config-log)#event \<br />
<br />
Effect<br />
Use this command to configure the events log file.<br />
124 <strong>WatchGuard</strong> Vclass 5.1
Level 3 configuration mode commands<br />
Arguments<br />
<br />
Type one of the above-noted “log level” selections<br />
after the command prompt, to indicate what to<br />
include in this events log. If you type “critical”, the<br />
log will record only critical events, whereas if you<br />
type “info”, the log will record all of the other<br />
selections too.<br />
no<br />
This argument, when entered before “event”, will<br />
deactivate the event log.<br />
Example<br />
WG(config-log)#event error<br />
Set up remote log server connection<br />
WG#config<br />
WG(config)#system<br />
WG(config-sys)#log<br />
WG(config-log)#remote_log_server<br />
<br />
Effect<br />
Use this command to set up a remote log server<br />
connection.<br />
Arguments<br />
<br />
This argument records the IP address of the remote<br />
log server.<br />
Example<br />
WG(config-log)#remote_log_server<br />
128.19.3.77<br />
NOTE<br />
When exiting “config” mode you may be prompted<br />
Commit before exit? (Y/N). This prompt is<br />
displayed if you have made changes but have not committed<br />
them to the <strong>WatchGuard</strong> appliance database. Type Y to<br />
commit your changes and return to the WG# prompt, or type<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 125
CHAPTER 3: Configuration Mode Commands<br />
N to void the changes and leave the database in its previous<br />
state.<br />
126 <strong>WatchGuard</strong> Vclass 5.1
CHAPTER 4 Debug Mode<br />
Commands<br />
All <strong>WatchGuard</strong> <strong>CLI</strong> commands are organized into<br />
groups, which are presented as specific command<br />
modes. This chapter covers the commands available in<br />
Debug Mode.<br />
Debugging/troubleshooting commands<br />
The <strong>CLI</strong> Debug commands, detailed here, enable the<br />
use of standard Linux commands such as ping, tcpdump,<br />
netstat, traceroute, and arp. Most commands<br />
such as “netstat,” “arp,” “ping,” “tcpdump,” and<br />
“traceroute” are similar to those provided on UNIX,<br />
Solaris and Linux systems. You can use these commands<br />
to troubleshoot network environments.<br />
Debugging configuration information is not saved<br />
when the database is backed up or exported to an<br />
XML profile. Debuggging commands are available<br />
only for runtime debugging purposes.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 127
CHAPTER 4: Debug Mode Commands<br />
Debugging information is not synced between HA appliances.<br />
Command For more information<br />
arp See “arp command” on page 129.<br />
clear_logs See “clear_logs” on page 129.<br />
config_http See “config_http command” on page 129.<br />
conn_idle_timeout See “conn_idle_timeout command” on page 130.<br />
ha_instant_sync See “ha_instant_sync command” on page 130.<br />
hwdiag See “hwdiag command” on page 131.<br />
ifconfig See “ifconfig command” on page 131.<br />
importscreen See “importscreen command” on page 132.<br />
kernel_debug See “kernel_debug command” on page 133.<br />
netstat See “netstat command” on page 134.<br />
ping See “ping command” on page 134.<br />
pppoe_config See “pppoe_config command” on page 135.<br />
radius_ping See “radius_ping command” on page 135.<br />
rcinfo See “rcinfo command” on page 137.<br />
reboot See “reboot command” on page 137.<br />
rs_kdiag See “rs_kdiag command” on page 138.<br />
set_dos_if See “set_dos_if command” on page 139.<br />
slink See “slink command” on page 139.<br />
tcpdump See “tcpdump command” on page 140.<br />
traceroute See “traceroute command” on page 140.<br />
verbose_trace See “verbose_trace command” on page 141.<br />
vinstall See “vinstall command” on page 141.<br />
show See “Show command” on page 144.<br />
history See “history command” on page 14.<br />
exit See “exit command” on page 14.<br />
top See “top command” on page 15.<br />
128 <strong>WatchGuard</strong> Vclass 5.1
arp command<br />
Debugging/troubleshooting commands<br />
WG#debug<br />
WG(debug)#arp<br />
Effect<br />
Displays or manipulates the ARP cache.<br />
Arguments<br />
None<br />
Example<br />
WG(debug)#arp<br />
clear_logs<br />
WG#debug<br />
WG(debug)#clear_logs<br />
Effect<br />
Clear all log entries.<br />
Argument<br />
None<br />
config_http command<br />
WG#debug<br />
WG(debug)#config_http [enable | disable | logon_html [ standard | alternate ] ]<br />
enable Enable HTTPd<br />
disable Disable HTTPd<br />
logon_html standard Use default logon HTML page.<br />
logon_html alternate Use alternate logon HTML page.<br />
Effect<br />
Allows you to enable and disable debugging for<br />
HTTP.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 129
CHAPTER 4: Debug Mode Commands<br />
Arguments<br />
enable<br />
Enables HTTP debugging.<br />
disable<br />
Disables HTTP debugging.<br />
logon_html [standard | alternate ]<br />
Standard allows you to use the deault HTML logon<br />
debugging page. Alternate allows you to use the<br />
alternate HTML logon page.<br />
Example<br />
WG#debug<br />
WG(debug)#config_http enable logon_html<br />
alternate<br />
conn_idle_timeout command<br />
WG#debug<br />
WG#debug conn_idle_timeout [show | set |<br />
set_default | -h | -? ], where<br />
show Displays the current settings<br />
set Set the connection idle timeout (in<br />
seconds, 1-86400)<br />
Effect<br />
This allows you to set the connection idle timeout<br />
between the Vclass appliance and the Management<br />
Station. The maximum time is 86,400 seconds (one<br />
day). The default is 180 seconds (3 minutes).<br />
Example<br />
WG#debug conn_idle_timeout 600<br />
WG#debug conn_idle_timeout set_default<br />
ha_instant_sync command<br />
WG#debug<br />
WG#debug ha_instant_sync [show | enable | disable |<br />
set_default | -h | -? ], where<br />
show Displays the current settings<br />
enable Enable instant state sync<br />
disable Disable instant state sync<br />
130 <strong>WatchGuard</strong> Vclass 5.1
Debugging/troubleshooting commands<br />
set_default Restore the setting to the factory<br />
default value<br />
Effect<br />
Enables or disables instant HA state<br />
synchronization. This is enabled by default.<br />
Example<br />
WG#debug ha_instant_sync enable<br />
hwdiag command<br />
WG#debug<br />
WG(debug)#hwdiag < 1 | 2 ><br />
Effect<br />
Provides diagnostic information for your<br />
hardware. Two diagnostic levels are available.<br />
Type the command<br />
“hwdiag 1” to perform level 1 hardware<br />
diagnostic tests, or “hwdiag 2” to<br />
perform level 2 tests.<br />
Level 2 hardware diagnostics require that the<br />
system be rebooted after the tests complete.<br />
ifconfig command<br />
WG#debug<br />
WG#debug ifconfig<br />
Effect<br />
ifconfig is the standard Linux command for<br />
interface configuration. This command can be used<br />
to configure the interfaces, as an alternative to<br />
interface configuration in the configuration menu.<br />
Displays debugging information for the interfaces<br />
on the appliance.<br />
Options<br />
Type -h to get help for this option. ifconfig is a<br />
standard Linux command, and should be used by a<br />
knowledgeable administrator. For the interface<br />
names, use “eth0” through “eth5,” depending on<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 131
CHAPTER 4: Debug Mode Commands<br />
how many interfaces your device has.<br />
Type ifconfig with no options or arguments to<br />
show detailed interface information.<br />
NOTE<br />
When using the ifconfig command in transparent mode,<br />
you must use eth1, as in the following example:<br />
ifconfig eth1 ipaddress netmask mask<br />
You cannot use ifconfig with any other interface (e.g. eth0,<br />
eth2, eth3) in transparent mode.<br />
importscreen command<br />
WG#debug<br />
WG(debug)#importscreen<br />
Import a tar file via ftp to customize Firewall User Login<br />
Screen.<br />
Syntax:<br />
importscreen <br />
<br />
Example:<br />
importscreen 10.10.10.10 ftp any public/screen.tar<br />
Effect<br />
This command allows you to import a tar-archived<br />
set of files to replace the https firewall user<br />
authentication login screen.<br />
Prerequisites<br />
The default configuration includes the following<br />
files:<br />
- logon.html<br />
- cert_logon.html<br />
- user_auth_fail.html<br />
- index.html<br />
- user_auth_success.html<br />
132 <strong>WatchGuard</strong> Vclass 5.1
- images/rs_sublogo.gif<br />
Debugging/troubleshooting commands<br />
You can save these files from the login and result<br />
pages to your local system using your browser’s<br />
“Save” function. Once the files are saved, you can<br />
edit the files, adding images, replacing text, and<br />
changing the page layout. However, you should<br />
not change any of the form input submission<br />
information, or your pages will not work.<br />
You must create a compressed tar file(*.tar) that<br />
includes all of the files you want to replace for the<br />
logon and result screens. When you have<br />
completed editing, tar the file (creating a *.tar file),<br />
and place this file in an accesible FTP upload<br />
directory. Then, use the <strong>CLI</strong> to FTP the file to the<br />
Vclass appliance.<br />
NOTE<br />
These operations require a moderate level of HTML<br />
knowledge and editing skills.<br />
Example<br />
WG#debug<br />
WG(debug)#importscreen 10.10.0.98<br />
ftpadmin ftppassword public/screens.tar<br />
kernel_debug command<br />
WG#debug<br />
WG(debug)#kernel_debug < on | off ><br />
Effect<br />
This command turns kernel debugging on or off.<br />
Arguments<br />
None.<br />
Example<br />
WG(debug)#kernel_debug on<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 133
CHAPTER 4: Debug Mode Commands<br />
netstat command<br />
WG#debug<br />
WG(debug)#netstat<br />
Effect<br />
This command displays the network status as seen<br />
from the security appliance’s point of view. To<br />
review the arguments for this command, type -?.<br />
The following are some of the available arguments.<br />
Arguments<br />
-a Displays active network connections and their<br />
status<br />
-i Shows summaries sorted by appliance interface<br />
-s Shows statistics<br />
-r Shows routing table information<br />
Example<br />
WG(debug)#netstat -i<br />
ping command<br />
WG#debug<br />
WG(debug)#ping <br />
Effect<br />
Use the ping command to send an ICMP<br />
ECHO_REQUEST to a designated device.<br />
Arguments<br />
<br />
This argument records the IP address of the<br />
device/appliance to be pinged.<br />
Example<br />
WG(debug)#ping 122.13.2.9<br />
The <strong>WatchGuard</strong> <strong>CLI</strong> will send ping packets to the<br />
designated IP address. Enter ^c (Control-C) to stop<br />
the ping. The <strong>CLI</strong> will then display the results and<br />
return to the WG(debug)# prompt.<br />
134 <strong>WatchGuard</strong> Vclass 5.1
pppoe_config command<br />
Debugging/troubleshooting commands<br />
pppoe_config [show | set num | set_default]<br />
show Show current settings.<br />
set num Set PPPoE parameters.<br />
-i is for echo interval (1-1200 Sec).<br />
-f is for echo failure (1-60).<br />
-r is for re-auth period (0-7200 Min).<br />
-t is for re-auth interval (0-120 Min).<br />
num is an integer.<br />
set_default Restore factory default value.<br />
Effect<br />
This command allows you to set PPPoE echo (keepalive)<br />
and re-authorization times and limits.<br />
Arguments<br />
-i allows you to set the echo (keep-alive) interval,<br />
from 1—1200 seconds.<br />
-f allows you to set the threshold for echo (keepalive)<br />
failure, from 1—60 seconds.<br />
-r allows you to set the re-authorization period,<br />
from 0—7200 minutes.<br />
-t alows you to set the re-autorization interval,<br />
from 0—120minutes.<br />
set_default allows you to set the default values<br />
for PPPoE echo and re-authorization.<br />
Example<br />
WG(debug)#pppoe_config set -1 300 -f 5\<br />
-r 1800 -t 60<br />
radius_ping command<br />
WG#debug<br />
WG(debug)#radius_ping \<br />
[-pap |-sid ] \<br />
[-p ] [-r ] \<br />
[-s ] [-t ] \<br />
[-u ] <br />
Effect<br />
Use this command to test the connections between<br />
this <strong>WatchGuard</strong> appliance and a RADIUS server.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 135
CHAPTER 4: Debug Mode Commands<br />
Pay special attention to the arguments for this<br />
command.<br />
Arguments<br />
[-pap ]<br />
This optional argument specifies PAP as the<br />
authentication used by this RADIUS server, along<br />
with the PAP password.<br />
[-sid ]<br />
This optional argument specifies SecurID as the<br />
authentication used by this RADIUS server, along<br />
with the SecurID passcode.<br />
[-p ]<br />
This argument allows you to record a specific port<br />
number for the RADIUS server. The default port<br />
number is “1812” and you can ignore this<br />
argument if the port number was not changed.<br />
[-r ]<br />
This argument specifies the maximum number of<br />
tries (between 1 and 10) made by this command.<br />
The default is “3”.<br />
[-s ]<br />
This argument records the “secret” login password<br />
required by the RADIUS server. The default is<br />
“test123”.<br />
[-t ]<br />
This argument establishes the timeout value for<br />
each test message.<br />
The default value is “2”.<br />
[-u ]<br />
This argument records a RADIUS user name for<br />
136 <strong>WatchGuard</strong> Vclass 5.1
Debugging/troubleshooting commands<br />
use in this ping attempt. The default entry is<br />
“test123”.<br />
<br />
This argument notes the IP address of the interface<br />
where the RADIUS request will be sent.<br />
<br />
This argument notes the IP address of the RADIUS<br />
server.<br />
Example<br />
WG(debug)# radius_ping -u jsmith -pap<br />
johnsm \<br />
10.10.13.101 10.10.0.5<br />
[no response from RADIUS server]<br />
rcinfo command<br />
WG#debug<br />
WG(debug)#rcinfo<br />
Effect<br />
Shows debug information about the RapidCore<br />
chip in your appliance. This is used for<br />
troubleshooting purposes, with <strong>WatchGuard</strong><br />
technical support.<br />
Example<br />
WG#debug<br />
WG(debug)#rcinfo<br />
reboot command<br />
WG#debug<br />
WG(debug)#reboot<br />
Effect<br />
Reboots the appliance.<br />
Example<br />
WG(debug)#reboot<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 137
CHAPTER 4: Debug Mode Commands<br />
rs_kdiag command<br />
WG#debug<br />
WG(debug)rs_kdiag<br />
Effect<br />
This command displays internal diagnostics<br />
information.<br />
Arguments<br />
None<br />
138 <strong>WatchGuard</strong> Vclass 5.1
set_dos_if command<br />
Debugging/troubleshooting commands<br />
WG#debug<br />
WG(debug)set_dos_if<br />
[show | set | set_default | -h | -? ], where<br />
show Show the current settings.<br />
set xyzv Set DOS protection on interfaces.<br />
x,y,z,v must be 0 or 1. x is for interface 0,<br />
y for interface 1, z for interface 2,<br />
and v for interface 3.<br />
set_default Restore the setting to the factory default value<br />
Effect<br />
This sets denial of service (DOS) protection on<br />
individual interfaces. The default settings are<br />
0000000f.<br />
Example<br />
WG#debug<br />
WG(debug)set_dos_if set 0011<br />
slink command<br />
WG#debug<br />
WG(debug)# slink [ [-s] ] [show]<br />
-s : save configuration only<br />
Port: eth0, eth1, eth2, eth3<br />
Mode:<br />
auto = Auto negotiate<br />
1000A = 1000BaseFX, AutoNegotiation enabled<br />
1000H = 1000BaseFX, AutoNegotiation disabled<br />
100F = 100BaseT, Full-duplex mode<br />
100H = 100BaseT, Half-duplex mode<br />
10F = 10BaseT, Full-duplex mode<br />
10H = 10BaseT, Half-duplex mode<br />
show: current setting<br />
Effect<br />
This command sets the physical speed of a specific<br />
accelerated data interface.<br />
Arguments<br />
etho, eth1, eth2, eth3<br />
Indicates the interface to be changed.<br />
mode<br />
auto = Auto negotiate<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 139
CHAPTER 4: Debug Mode Commands<br />
1000A = 1000BaseFX, AutoNegotiation enabled<br />
1000H = 1000BaseFX, AutoNegotiation disabled<br />
100F = 100BaseT, Full-duplex mode<br />
100H = 100BaseT, Half-duplex mode<br />
10F = 10BaseT, Full-duplex mode<br />
10H = 10BaseT, Half-duplex mode<br />
show<br />
Displays the current setting<br />
Example<br />
WG#debug<br />
WG(debug)# slink eth1 10H<br />
This sets interface 1 (public) to 10BaseT, Halfduplex<br />
mode.<br />
tcpdump command<br />
WG#debug<br />
WG(debug)#tcpdump<br />
Effect<br />
Dumps all traffic on a network. Tcpdump will<br />
captures all packets detected by the network<br />
interfaces of the appliance where “tcpdump” is<br />
executed. This command may be used to track<br />
specific packets.<br />
Arguments<br />
None<br />
Example<br />
WG(debug)#tcpdump<br />
traceroute command<br />
WG#debug<br />
WG(debug)#traceroute <br />
Effect<br />
Displays the complete route information to the<br />
target device. This command utilizes the IP<br />
protocol “time to live” field and solicits an ICMP<br />
140 <strong>WatchGuard</strong> Vclass 5.1
Debugging/troubleshooting commands<br />
TIME_EXCEEDED response from each gateway<br />
along the path to the target device. You can use this<br />
command to troubleshoot network routing and<br />
connectivity.<br />
Arguments<br />
Be sure to type the IP address of the target device,<br />
as shown in the example below.<br />
Example<br />
WG(debug)#traceroute<br />
207.188.12.3<br />
verbose_trace command<br />
WG#debug<br />
WG(debug)# verbose_trace [ on | off ]<br />
Effect<br />
This command enables/disables verbose tracing in<br />
the traffic log. If such is enabled, every firewalldropped<br />
packet will be shown in the traffic log. All<br />
DNS packets will also be shown in the traffic log.<br />
NOTE<br />
If this feature is enabled, there will be an impact to the<br />
overall system performance due to heavy logging activity.<br />
vinstall command<br />
WG#debug<br />
WG(debug)# vinstall <br />
<br />
##This feature allows downgrade from 5.0 to 3.2 or 4.0<br />
##e.g. vinstall 10.10.10.10 my_username my_password<br />
"path/encrypted_fbv.tgz"<br />
## For V10, use non-encrypted file. For others, use<br />
encrypted file.<br />
Effect<br />
This allows you to downgrade to an earlier<br />
software version–from 5.0 to 4.0 or from 5.0 to 3.2.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 141
CHAPTER 4: Debug Mode Commands<br />
NOTE<br />
This feature is not supported in software versions earlier than<br />
5.0.<br />
Example<br />
WG#debug<br />
WG(debug)# vinstall 10.10.0.98 ftpadmin<br />
ftppass /upload/downgrade/encrypted.tgz<br />
142 <strong>WatchGuard</strong> Vclass 5.1
CHAPTER 5 Other Commands<br />
No command<br />
Rename command<br />
This chapter describes commands that do not belong<br />
to one of the three main command modes (Administration,<br />
Configuration, and Debug).<br />
The no command is used before another command or<br />
argument to turn off or disable the specified feature.<br />
The rename command is used to rename objects.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 143
CHAPTER 5: Other Commands<br />
Show command<br />
As a way of viewing lists and details of a <strong>WatchGuard</strong><br />
appliance’s configuration, the Show command (and its<br />
arguments) provides an adaptable means of cataloging<br />
such things as address groups, IPSec actions or RAS user<br />
profiles. Once you determine what’s listed, you can then<br />
adapt the Show command to view the “contents” of a specifically<br />
named item, including the settings or configuration<br />
entries that comprise that item.<br />
Show command general usage<br />
WG#show<br />
Effect<br />
If you type “show” at the top-level <strong>CLI</strong> prompt, the<br />
<strong>WatchGuard</strong> <strong>CLI</strong> will display a complete list of<br />
“show” arguments (listed above in “Contents”),<br />
that enable you to list almost every kind of object in<br />
the <strong>WatchGuard</strong> database, from address groups to<br />
VLAN objects.<br />
Arguments<br />
None.<br />
The current range of Show commands includes the following:<br />
Command For more information<br />
address See “Show address command” on page 145.<br />
alarm See “Show alarm command” on page 146.<br />
all_routes See “Show all_routes command” on page 147.<br />
certificate See “Show certificate command” on page 147.<br />
cpm See “Show CPM command” on page 148.<br />
denial_of_service See “Show denial_of_service command” on<br />
page 148.<br />
diagnostics See “Show diagnostics command” on page 148.<br />
dns See “Show DNS command” on page 148.<br />
144 <strong>WatchGuard</strong> Vclass 5.1
Show address command<br />
Display current address groups<br />
WG#show address<br />
Show command<br />
Command For more information<br />
ike See “Show IKE command” on page 149.<br />
interface See “Show interface command” on page 150.<br />
ipsec See “Show IPSec command” on page 150.<br />
ldap See “Show LDAP command” on page 151.<br />
license See “Show license command” on page 151.<br />
log See “Show log command” on page 152.<br />
mode See “Show log command” on page 152.<br />
nat See “Show NAT command” on page 153.<br />
ntp See “Show NTP command” on page 153.<br />
policy See “Show policy command” on page 154.<br />
qos See “Show QoS command” on page 154.<br />
ras See “Show RAS command” on page 155.<br />
route See “Show route command” on page 156.<br />
sa See “Show SA command” on page 156.<br />
service See “Show service command” on page 157.<br />
statistics See “Show statistics command” on page 158.<br />
sysinfo See “Show sysinfo command” on page 158.<br />
sysupgrade See “Show sysupgrade command” on page 159.<br />
trace See “Show trace command” on page 159.<br />
tunnel_switch See “Show tunnel_switch command” on<br />
page 159.<br />
version See “Show version command” on page 160.<br />
Effect<br />
Displays the current catalog of address groups<br />
stored in this <strong>WatchGuard</strong> Firebox Vclass security<br />
appliance<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 145
CHAPTER 5: Other Commands<br />
Arguments<br />
None.<br />
Display contents of address group<br />
WG#show address <br />
Effect<br />
Displays the current contents of a specifically<br />
named address group.<br />
Arguments<br />
<br />
This argument notes the address group name.<br />
Example<br />
WG#show address exec_staff<br />
Show alarm command<br />
WG#show alarm [definition|log<br />
[more|follow]]<br />
Effect<br />
Displays a summary of currnt outstanding alarms.<br />
Arguments<br />
definition<br />
This displays a list of alarm definitions, and<br />
whether they are enabled.<br />
log more<br />
This displays the log of all alarms that have been<br />
triggered in the past (since the log was last cleared),<br />
20 lines at a time.<br />
log follow<br />
This displays the last 5 line of the alarm log, and<br />
updates if more alarms get generated.<br />
Example<br />
WG#show alarm log more<br />
146 <strong>WatchGuard</strong> Vclass 5.1
Show all_routes command<br />
WG#show all_routes<br />
Show command<br />
Effect<br />
Displays a summary of the routes–static and<br />
dynamic–recorded in this <strong>WatchGuard</strong> appliance.<br />
Arguments<br />
None.<br />
Example<br />
WG#show all_routes<br />
Show certificate command<br />
WG#show certificate<br />
Effect<br />
Displays the complete collection of certificates,<br />
including pending requests root certificates and<br />
system certificates.<br />
Examples<br />
WG#show certificate<br />
Display certificate settings<br />
WG#show certificate<br />
[ca|sys|pending|"cert_id"]<br />
Effect<br />
Displays the settings of a certificate according to<br />
the specific identifying characteristic.<br />
Arguments<br />
<br />
This argument specifies the type of certificates you<br />
want to review, whether root, system or pending.<br />
<br />
This argument notes an actual ID number from a<br />
certificate–whether root, system or pending.<br />
Examples<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 147
CHAPTER 5: Other Commands<br />
WG#show certificate pending<br />
WG#show certificate 19478<br />
Show CPM command<br />
WG#show cpm<br />
Effect<br />
Shows whether CPM is enabled or disabled, and<br />
general CPM information.<br />
Examples<br />
WG#show cpm<br />
Arguments<br />
None.<br />
Show denial_of_service command<br />
WG#show denial_of_service<br />
Effect<br />
Displays the DOS and DDOS configurations<br />
currently active in this appliance.<br />
Arguments<br />
None.<br />
Show diagnostics command<br />
WG#show diagnostics<br />
Effect<br />
Shows some diagnostic information for the<br />
appliance.<br />
Examples<br />
WG#show diagnostics<br />
Arguments<br />
None.<br />
Show DNS command<br />
WG#show dns<br />
148 <strong>WatchGuard</strong> Vclass 5.1
Effect<br />
Displays any DNS configurations.<br />
Arguments<br />
None<br />
Show IKE command<br />
Show command<br />
WG#show ike <br />
Effect<br />
Displays the current catalog of IKE policies or<br />
actions, depending upon your choice of argument.<br />
Arguments<br />
<br />
This argument allows you to specify whether the<br />
actions or policies are listed.<br />
Examples<br />
WG#show ike action<br />
Display IKE policy parameters<br />
WG#show ike <br />
<br />
Effect<br />
Displays the parameters of a specifically named<br />
IKE policy or action.<br />
Arguments<br />
action <br />
This argument will display the contents of the<br />
named action.<br />
policy <br />
This argument will display the contents of the<br />
named policy.<br />
Examples<br />
WG#show ike action basic<br />
WG#show ike policy secure_VPN<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 149
CHAPTER 5: Other Commands<br />
Show interface command<br />
WG#show interface<br />
Effect<br />
Displays a detailed summary of all data interfaces<br />
in this <strong>WatchGuard</strong> appliance.<br />
Arguments<br />
None<br />
Example<br />
WG#show interface<br />
Show IPSec command<br />
WG#show ipsec <br />
Effect<br />
Displays the current catalog of IPSec proposals or<br />
actions--depending upon the argument.<br />
Arguments<br />
<br />
This argument specifies the type of IPSec<br />
component, action or proposal, that you want to<br />
review.<br />
Examples<br />
WG#show ipsec proposal<br />
Display an IPSec proposal or action<br />
WG#show ipsec <br />
<br />
Effect<br />
Displays the contents of a specifically named IPSec<br />
proposal or action. Type the action or proposal<br />
name after the "ipsec" command to view the<br />
specific settings.<br />
Arguments<br />
<br />
This argument specifies the type of IPSec<br />
150 <strong>WatchGuard</strong> Vclass 5.1
Show command<br />
component, action or proposal, that you want to<br />
review.<br />
<br />
After entering the “action” or “proposal”<br />
argument, enter this value, which indicates the<br />
actual name of a specific proposal or action that<br />
you want to review in detail.<br />
Examples<br />
WG#show ipsec proposal md5_sha<br />
WG#show ipsec action most_secure<br />
Show LDAP command<br />
WG#show ldap<br />
Effect<br />
Displays any current LDAP server connection<br />
settings.<br />
Arguments<br />
None<br />
Show license command<br />
WG#show license [license_id]<br />
Effect<br />
Displays the current license file information. You<br />
can copy the license ID shown with this command,<br />
and paste it after the show license command to see<br />
more details about a particular license.<br />
Arguments<br />
None<br />
Example (show license without a license number)<br />
WG#show license<br />
Ord License Name License ID Expiration<br />
Date<br />
1 DATE_11-6-2002_10:5 64DFC18A261A4771 04-02-2003<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 151
CHAPTER 5: Other Commands<br />
Example (show license with a license number)<br />
WG#show license 64DFC18A261A4771<br />
License Name: DATE_11-6-2002_10:51<br />
License ID: 64DFC18A261A4771<br />
Feature(s):<br />
UPGRADE<br />
3DES<br />
Expiration Date: 04-02-2003<br />
Show log command<br />
WG#show log [more]<br />
Effect<br />
Displays the last 25 entries in a designated log file.<br />
If you enter “config” as the argument, the <strong>CLI</strong> will<br />
display the configuration settings for all logs.<br />
Arguments<br />
<br />
This argument will display the current<br />
configurations for server, traffic and event logs.<br />
<br />
Enter one of these six log types in this argument. If<br />
you do not type a log type, the <strong>CLI</strong> will simply list<br />
the types of log files you can view.<br />
[more]<br />
This argument displays the complete contents of a<br />
specified log, one page at a time.<br />
Example<br />
WG#show log traffic<br />
Show mode command<br />
WG#show mode<br />
152 <strong>WatchGuard</strong> Vclass 5.1
Show command<br />
Effect<br />
Displays whether the system is running in Router<br />
or Transparent Mode.<br />
Arguments<br />
None<br />
Example<br />
WG#show mode<br />
Show NAT command<br />
WG#show nat<br />
Effect<br />
Lists any current NAT actions stored in this<br />
appliance database.<br />
Arguments<br />
None<br />
Display NAT action configuration<br />
WG#show nat <br />
Effect<br />
Displays the configuration of a specifically named<br />
NAT action.<br />
Arguments<br />
<br />
This argument represents the exact name of the<br />
NAT action you want to review.<br />
Example<br />
WG#show nat static_NAT1<br />
Show NTP command<br />
WG#show ntp<br />
Effect<br />
Displays the Network Time Protocol configuration.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 153
CHAPTER 5: Other Commands<br />
Arguments<br />
None.<br />
Example<br />
WG#show ntp<br />
Show policy command<br />
WG#show policy <br />
Effect<br />
Displays the parameters/settings for a specifically<br />
named security policy.<br />
Arguments<br />
<br />
This argument notes the exact name of the security<br />
policy you want to review.<br />
Example<br />
WG#show policy SJO-NYC_VPN<br />
List active security policies<br />
WG#show policy<br />
Effect<br />
Lists all active security policies stored in this<br />
<strong>WatchGuard</strong> appliance.<br />
Arguments<br />
None<br />
Example<br />
WG#show policy<br />
Show QoS command<br />
WG#show qos <br />
Effect<br />
Displays (1) the current system QoS configuration,<br />
or (2) a list of currently available QoS actions–<br />
depending upon your argument entry.<br />
154 <strong>WatchGuard</strong> Vclass 5.1
Show command<br />
Arguments<br />
<br />
This argument represents your preference–to<br />
review the current system QoS setting or the list of<br />
available QoS actions.<br />
Example<br />
WG#show qos system<br />
Show QoS action configuration<br />
WG#show qos action <br />
Effect<br />
Displays the configuration of a specified QoS<br />
action.<br />
Arguments<br />
<br />
This argument indicates, by exact name, the QoS<br />
action you want to review.<br />
Example<br />
WG#show qos action slow_to_55<br />
Show RAS command<br />
WG#show ras<br />
<br />
Effect<br />
Displays a complete listing of the specified RAS<br />
component–group profiles, user profiles or<br />
database configuration.<br />
Arguments<br />
<br />
This argument represents your preference–to<br />
review a list of group profiles, a list of user profiles<br />
or the database settings.<br />
Example<br />
WG#show ras database<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 155
CHAPTER 5: Other Commands<br />
Display specific RAS contents<br />
WG#show ras <br />
<br />
Effect<br />
Displays the contents of the specifically named<br />
RAS component–a user profile or group profile.<br />
Arguments<br />
<br />
This argument notes either group profile or user<br />
profile.<br />
<br />
This argument records the name of the designated<br />
object that you want to review.<br />
Example<br />
WG#show ras user_profile sales12<br />
Show route command<br />
WG#show route<br />
Effect<br />
Displays a list of active routes.<br />
Arguments<br />
None<br />
Example<br />
WG#show route<br />
Show SA command<br />
WG#show sa [id]<br />
Effect<br />
Lists current phase one or phase two SA<br />
information, in some detail. If you add the “ID” of<br />
a specific phase-one SA or phase-two tunnel, the<br />
<strong>CLI</strong> will display details of the requested item.<br />
156 <strong>WatchGuard</strong> Vclass 5.1
Show command<br />
Arguments<br />
<br />
This argument specifies your choice of a list of<br />
phase-one SA’s or a list of phase-two tunnels.<br />
Either list provides a complete catalog of the<br />
requested item, in a table that includes<br />
considerable details about each item.<br />
[id]<br />
This argument (when used with p1) will display a<br />
summary of the identified SA. When used with p2,<br />
this argument will display a summary of the<br />
requested tunnel activities.<br />
Example<br />
WG#show sa p2 209<br />
Show service command<br />
List all service groups<br />
WG#show service<br />
Effect<br />
Displays a complete list of all service groups.<br />
Arguments<br />
None<br />
Example<br />
WG#show service<br />
Display service group settings<br />
WG#show service <br />
Effect<br />
Displays the settings for a named service group,<br />
including port numbers and any associated<br />
protocols.<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 157
CHAPTER 5: Other Commands<br />
Arguments<br />
<br />
This argument represents the exact name of the<br />
service group you want to review in detail.<br />
Example<br />
WG#show service e-mail<br />
Show SNMP command<br />
WG#show snmp <br />
Effect<br />
Displays the SNMP settings for the appliance.<br />
Arguments<br />
None.<br />
Example<br />
WG#show snmp <br />
Show statistics command<br />
WG#show statistics<br />
show statistics ras [user_ID]<br />
show statistics p1sa [ID]<br />
show statistics p2sa [ID]<br />
Effect<br />
Displays statistics for RAS or phase 1 or phase 2<br />
SA.<br />
Arguments<br />
None.<br />
Example<br />
WG#show statistics ras ras_user<br />
Show sysinfo command<br />
WG#show sysinfo<br />
158 <strong>WatchGuard</strong> Vclass 5.1
Show command<br />
Effect<br />
Displays the basic "general" system configurations,<br />
including appliance name, location, and contact<br />
person's name.<br />
Arguments<br />
None<br />
Example<br />
WG#show sysinfo<br />
Show sysupgrade command<br />
WG#show sysupgrade<br />
Effect<br />
Displays a chronological record of recent system<br />
software upgrades (including version number and<br />
date) installed in this <strong>WatchGuard</strong> appliance.<br />
Arguments<br />
None<br />
Example<br />
WG#show sysupgrade<br />
Show trace command<br />
Show tunnel_switch command<br />
WG#show tunnel_switch<br />
Effect<br />
Displays the status of tunnel switching hardware<br />
features in this appliance–OFF or ON.<br />
Arguments<br />
None<br />
Example<br />
WG#show tunnel_switch<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong> 159
CHAPTER 5: Other Commands<br />
Show version command<br />
WG#show version<br />
Effect<br />
Displays the version number of <strong>WatchGuard</strong><br />
operating software.<br />
Arguments<br />
None<br />
Example<br />
WG#show version<br />
160 <strong>WatchGuard</strong> Vclass 5.1
Index<br />
A<br />
abbreviations 8<br />
abort system configuration<br />
changes 43<br />
accelerated data interface, set<br />
physical speed of 139<br />
adding settings and policies 10<br />
address group modification 43<br />
address group, display specific 146<br />
address groups, display all 145<br />
administration mode commands 15,<br />
27<br />
appliance maintenance commands 22<br />
apply changes 22<br />
apply changes to interface<br />
configuration 95<br />
apply recent configuration changes 45<br />
argument entry syntax 9<br />
argument options by command, list<br />
of 17<br />
ARP cache, display 129<br />
ARP cache, manipulate 129<br />
available commands 17<br />
available tasks 2<br />
B<br />
\ character, use of 9<br />
C<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong><br />
case sensitivity of object strings 9<br />
certificate configuration mode, entry<br />
into 45<br />
certificate settings, display<br />
specific 147<br />
certificate, import VPN 69<br />
certificate, request VPN 67<br />
certificate, show properties 70<br />
certificates, display all 147<br />
change system mode 94<br />
<strong>CLI</strong> by command<br />
administration mode<br />
downgrade 29<br />
enable 108<br />
export 30<br />
flush 31<br />
ha_sync 31<br />
passwd 36<br />
reboot 37<br />
restore_default 38<br />
shutdown 38<br />
all mode commands<br />
exit 14<br />
history 14<br />
top 15<br />
configuration, level 1<br />
abort 43<br />
address 43<br />
certificate 45<br />
commit 45<br />
delete 45<br />
denial_of_service 46<br />
high_availability 47<br />
high_availability (disable) 48<br />
history 66<br />
ike 48<br />
interface 49<br />
ipsec 49<br />
license 49<br />
nat 54<br />
nat (dynamic action) 56<br />
policy 57<br />
qos 60<br />
ras 61<br />
rename 61<br />
schedule 62<br />
service 63
system 64<br />
tenant 65<br />
tunnel_switch 65<br />
configuration, level 2<br />
action (ike) 78<br />
action (IPSec) 95<br />
action (QoS) 100<br />
active_feature (license) 117<br />
database (RAS) 105<br />
delete (license) 118<br />
dns (system) 108<br />
enable (high_availability) 74<br />
exit (high_availability) 76<br />
exit (interface) 95<br />
fwuser (system -<br />
idle_timeout) 109<br />
group_profile (RAS) 102<br />
ha2 (interface) 93<br />
import 69<br />
import (license) 117<br />
interface 82<br />
interface (system) 110<br />
interface 0 (interface) 83<br />
interface 1 (interface) 86<br />
interface 2 (interface) 90<br />
ldap (system) 110<br />
log (system) 111<br />
mode 94<br />
policy (ike) 80<br />
private (interface) 85<br />
proposal (IPSec) 99<br />
request 67<br />
route (system) 113<br />
show 70<br />
show (high_availability) 72<br />
show (interface) 82<br />
show (license) 118<br />
snmp (system) 114<br />
ssl 71<br />
sysinfo (system) 115<br />
system (QoS enable/<br />
disable) 101<br />
user_domain(tenant) 120<br />
user_profile (RAS) 103<br />
vlan(tenant) 119<br />
vlan_fowarding (system) 116<br />
configuration, level 3<br />
dynamic (system\route) 123<br />
event (system\log) 124<br />
remote_log_server<br />
(system\log) 125<br />
static (system\route) 122<br />
traffic (system\log) 124<br />
display arguments<br />
show 145<br />
show address 145<br />
show address<br />
14<br />
6<br />
show all_routes 147<br />
show cert 147<br />
show cert (by ID) 147<br />
show denial_of_service 148<br />
show dns 148<br />
show ike 149<br />
show ike (by name) 149<br />
show interface 150<br />
show ipsec 150<br />
show ldap 151<br />
show log 152<br />
show mode 152<br />
show nat 153<br />
show nat (by name) 153<br />
show policy 154<br />
show policy (by name) 154<br />
show qos 154<br />
show qos (by name) 155<br />
show ras 155<br />
show ras (by name) 156<br />
show route 156<br />
show sa 156<br />
show service 157<br />
show service (by name) 157<br />
show sysinfo 158<br />
show sysupgrade 159<br />
show tunnel_switch 159<br />
show version 160<br />
troubleshooting<br />
arp 129<br />
clear_logs 129<br />
netstat 134<br />
ping 134<br />
radius_ping 135<br />
rs_kdiag 138<br />
slink 139<br />
tcpdump 140<br />
traceroute 140<br />
verbose_trace 141<br />
<strong>CLI</strong> capabilites 2<br />
<strong>CLI</strong> commands
administration mode<br />
disable 108<br />
<strong>CLI</strong> editing<br />
appending to recent command 11<br />
argument syntax 9<br />
use of \ character 9<br />
case sensitivity 9<br />
case sensitivity in object strings 9<br />
command abbreviation 8<br />
command prompt 8<br />
delete 10<br />
exchanging command arguments<br />
in recent command 12<br />
grouping parameters 10<br />
help command 17<br />
keywords 15<br />
line continuation 9<br />
<strong>CLI</strong> navigation 13<br />
command history 11<br />
command prompt, navigation with 8<br />
Common Criteria operation mode 35<br />
configuration, initial 20<br />
conn_idle_timeout 130<br />
connection to a workstation<br />
direct 5<br />
connection to workstation,<br />
through network 5<br />
conventions 3–5, 25–27<br />
currently available commands 17<br />
D<br />
data interfaces, display address<br />
settings 82<br />
data interfaces, show detailed<br />
summary of 150<br />
DDOS<br />
See denial of service<br />
DDOS configurations, show 148<br />
debug<br />
information not exported to<br />
xml 127<br />
debugging commands 127–141<br />
delete license 118<br />
delete specific configuration<br />
changes 45<br />
deleting items in database 22<br />
deleting text 10<br />
denial of service parameter<br />
configuration 46<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong><br />
DHCP server configuration options 85<br />
disable 108<br />
disable keyword 15<br />
disable port shaping 101<br />
disable tunnel switching 65<br />
display commands 144<br />
display interface addresses<br />
See data interfaces<br />
DMZ See interface 2<br />
DNS configurations, show 148<br />
domain name, system level entry 108<br />
DOS See denial of service<br />
DOS configurations, show 148<br />
downgrade 29<br />
dump network traffic 140<br />
dynamic route, configure 123<br />
E<br />
enable 108<br />
enable keyword 15<br />
enable port shaping 101<br />
enable tunnel switching 65<br />
erase system configuration<br />
changes 43<br />
event log configuration 124<br />
exchanging command arguments in<br />
recent command 12<br />
!!for<br />
appending to most recent<br />
command 11<br />
!! recall command 11<br />
!number to recall recent command by<br />
number 11<br />
existing appliance<br />
log in 7<br />
export 30<br />
export cr/xml/log/ip 30<br />
extra features active, licensed 117<br />
F<br />
factory default appliance<br />
logging in 6<br />
factory default restoration 38<br />
FIPS operation mode 35
firewall authentication screens,<br />
replacing 132<br />
H<br />
HA 2 interface configuration 93<br />
HA configuration 47<br />
HA configuration, display 72<br />
HA enable 74<br />
HA, apply configuration changes 76<br />
HA, disabling 48<br />
ha_instant_sync 130<br />
ha_sync 31<br />
help 17<br />
help online 17<br />
high availability<br />
See HA<br />
high availability configuration, level<br />
2 72–76<br />
history 14, 66<br />
history buffer 11<br />
history buffer, size of 11<br />
history command 11<br />
hotsync process, initiate 31<br />
I<br />
ICMP ECHO_REQUEST, send 134<br />
idle_timeout, changing firewall<br />
user 109<br />
IKE action, record 78<br />
IKE configuration 48<br />
IKE configuration, level 2<br />
commands 78–82<br />
IKE policies, display all 149<br />
IKE policy or action, show parameters<br />
of 149<br />
IKE policy, record 80<br />
import<br />
XML profile 33<br />
import license 117<br />
import VPN certificate 69<br />
importscreen 132<br />
initial configuration commands 20<br />
interface 0 configuration 83<br />
interface 1 configuration 86<br />
interface 2 configuration 90<br />
interface address settings, display 82<br />
interface configuration entry 110<br />
interface configuration, enter 82<br />
interface configuration, level 2<br />
commands 82–95<br />
interfaces, show detailed summary<br />
of 150<br />
internal diagnostics, display 138<br />
IP addresses, system level entry 108<br />
IPSec action, recording 95<br />
IPSec configuration 49<br />
IPSec configuration, level 2<br />
commands 95–100<br />
IPSec proposal or action, show details<br />
of specific 150<br />
IPSec proposal, create or modify 99<br />
IPSec proposals or actions, show<br />
catalog of 150<br />
K<br />
keywords<br />
disable 15<br />
enable 15<br />
no 15<br />
L<br />
LDAP server connection settings,<br />
show 151<br />
LDAP server, activate connection 110<br />
LDAP server, deactivate<br />
connection 110<br />
Level 1 configuration mode 41<br />
Level 2 configuration mode 66–122<br />
Level 3 configuration mode 122–126<br />
license commands, level 2<br />
commands 117–119<br />
license configuration 49<br />
license, delete 118<br />
license, import new 117<br />
license, summarize a 118<br />
licensed features, active 117<br />
licenses available, list 118<br />
limitations 3<br />
line continuation 9<br />
line continuation character 9<br />
log configuration 111
log configuration, level 3<br />
commands 124–126<br />
log entries, clear 129<br />
log file, show last 25 entries of<br />
specific 152<br />
log into existing appliance 7<br />
log into factory default appliance 6<br />
log out 18<br />
M<br />
maintenance commands 22<br />
MSS 59, 112<br />
mss_adjustment 112<br />
mss_adjustment_per_policy 59<br />
N<br />
NAT action, record 54<br />
NAT action, show configuration of<br />
specific 153<br />
NAT actions, list current 153<br />
NAT, dynamic IP 56<br />
network address translation<br />
See NAT<br />
network status, view 134<br />
no keyword 15<br />
O<br />
object strings, case sensitivity of 9<br />
online help 24<br />
operation modes 35<br />
operation_mode command 35<br />
P<br />
passwd 36<br />
password, reset super user 36<br />
ping a device 134<br />
+ character, use of 10<br />
pppoe_config 135<br />
Private interface<br />
See interface 0<br />
profile<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong><br />
import XML 33<br />
Public<br />
See interface 1<br />
Q<br />
QoS action, record new 100<br />
QoS actions, show current<br />
available 154<br />
QoS configuration entry 60<br />
QoS configuration, level 2<br />
commands 100–101<br />
QoS configuration, show all current<br />
system 154<br />
QoS configuration, show specific 155<br />
Quality of Service<br />
See QoS<br />
? command 17<br />
R<br />
RADIUS server, test connections to<br />
security appliance 135<br />
RAS account, create or modify 103<br />
RAS authentification database, where<br />
stored 105<br />
RAS configuration mode 61<br />
RAS configuration, level 2<br />
commands 102–106<br />
RAS group profile, modify or<br />
create 102<br />
RAS, show complete listing of 155<br />
RAS, show specific RAS<br />
component 156<br />
reboot 37<br />
recall most recent command 11<br />
recalling a recent command, not most<br />
recent 11<br />
recent commands list 14, 66<br />
reload old software 29<br />
remote log server connection,<br />
configure 125<br />
rename an existing object 61<br />
replace firewall authentication<br />
screens 132<br />
replacing settings and policies 10<br />
request VPN certificate 67<br />
reset connections 31
eset Vclass appliance 37<br />
return to next highest level 14<br />
return to top command level 15<br />
route configuration entry 113<br />
route configuration, level 3<br />
commands 122<br />
route information, display of 140<br />
routes, list all active 156<br />
routes, summarize all dynamic and<br />
static 147<br />
S<br />
SA information, show curent phase 1<br />
or 2 156<br />
schedule a policy 62<br />
security policies, show active 154<br />
security policy commands 21<br />
security policy, create 57<br />
security policy, show parameters of<br />
specific 154<br />
service entry (individual or group)<br />
new 63<br />
service group, show specific 157<br />
service groups, show all 157<br />
set_dos_if 139<br />
show arguments, list 145<br />
show certificate properties 70<br />
show stored arguments 16<br />
show stored command entries 16<br />
showcommands 144<br />
shut down <strong>WatchGuard</strong> appliance 38<br />
SNMP workstations, record<br />
connection data for 114<br />
software version number, display 160<br />
SSL certificate request 71<br />
static route configuration 122<br />
system configuration mode 64<br />
system configuration, level 2<br />
commands 107–116<br />
system configuration, show<br />
general 158<br />
system information, apply to security<br />
appliance 115<br />
system interface configuration 49<br />
system interface configuration,<br />
enter 82<br />
system mode, display 152<br />
system software upgrades, show<br />
recent 159<br />
T<br />
tasks available 2<br />
tasks not available 3<br />
TCP Maximum Segment Size<br />
(MSS) 59, 112<br />
tenant configuration mode entry 65<br />
tenant configuration, level 2<br />
commands 119–122<br />
tenant entry, record 119<br />
text deletion 10<br />
top command 14<br />
traffic log file, activate 124<br />
traffic log file, deactivate 124<br />
troubleshooting commands 127–141<br />
tunnel switching, show hardware<br />
status 159<br />
U<br />
unavailable tasks 3<br />
V<br />
verbose trace, disable 141<br />
verbose trace, enable 141<br />
view currently available<br />
commands 17<br />
vinstall 141<br />
VLAN forwarding disable 116<br />
VLAN forwarding, enable 116<br />
VLAN specific tenant entry,<br />
record 120<br />
VLAN tenant entry, record new 119<br />
W<br />
Web certificate<br />
See SSL certificate
X<br />
xml export<br />
debugging information not<br />
exported 127<br />
XML profile<br />
import 33<br />
<strong>WatchGuard</strong> Command Line Interface <strong>Guide</strong>